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Abstract 

Recently there has been a significant effort to handle quantitative properties in formal verification and synthe¬ 
sis. While weighted automata over finite and infinite words provide a natural and flexible framework to express 
quantitative properties, perhaps surprisingly, some basic system properties such as average response time cannot 
be expressed using weighted automata, nor in any other know decidable formalism. In this work, we introduce 
nested weighted automata as a natural extension of weighted automata which makes it possible to express im¬ 
portant quantitative properties such as average response time. In nested weighted automata, a master automaton 
spins off and collects results from weighted slave automata, each of which computes a quantity along a finite 
portion of an infinite word. Nested weighted automata can be viewed as the quantitative analogue of monitor 
automata, which are used in run-time verification. We establish an almost complete decidability picture for the 
basic decision problems about nested weighted automata, and illustrate their applicability in several domains. In 
particular, nested weighted automata can be used to decide average response time properties. 


1 Introduction 

Traditionally, formal verification has focused on Boolean properties of systems, such as “every request is even¬ 
tually granted.” Automata-theoretic formalisms as well as temporal logics have been studied as specification 
languages for such Boolean properties of reactive systems. In recent years there has been a growing trend to 
extend specifications with quantitative aspects for expressing properties such as “the long-run average success 
rate of an operation is at least one half” or “the long-run average (or the maximal, or the accumulated) resource 
consumption is below a threshold.” Quantitative aspects of specifications are essential for resource-constrained 
systems, such as embedded systems, and for performance evaluation. For example, quantitative specifications 
such as accumulated sum can express properties like number of a events between b events, or memory consump¬ 
tion, whereas long-run average can express properties related to reliability requirements such as average success 
rate. 

For Boolean properties regular languages provide a robust specification framework. Finding the analogue of 
regular languages for quantitative specifications is an active research area 0H2U3I. Some of the key features of 
such a specification framework are (1) expressiveness, i.e., whether the formalism can express properties of inter¬ 
est; (2) ease of specification, i.e., whether the properties can be stated naturally; (3) computability, i.e., whether 
the basic decision problems can be solved —ideally with elementary complexity— for interesting fragments of 
the formalism; and (4) robustness, i.e., whether the formalism is robust against small changes in its definition. 

While automata are an expressive, natural, elementarily decidable, and robust framework for expressing 
Boolean properties, weighted automata provide a natural and flexible framework for expressing quantitative prop¬ 
erties m. Weighted automata are an extension of finite automata in which every transition is labeled by a rational 
weight. Thus, each run produces a sequence of weights, and a value function aggregates the sequence into a single 
value. For non-deterministic weighted automata, the value of a word w is the infimum value of all runs over w. 
Initially, weighted automata were studied over finite words with weights from a semiring, and ring multiplication 

*This research was funded in part by the European Research Council (ERC) under grant agreement 267989 (QUAREM), by the Austrian 
Science Fund (FWF) projects S11402-N23 (RiSE), Z211-N23 (Wittgenstein Award), FWF Grant No P23499- N23, FWF NFN Grant No 
S11407-N23 (RiSE), ERC Start grant (279307: Graph Games), and Microsoft faculty fellows award. 

1 We use the term “quantitative” in a non-probabilistic sense, which assigns a quantitative value to each infinite run of a system, representing 
long-run average or maximal response time, or power consumption, or the like, rather than taking a probabilistic average over different runs. 
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as value function 02). They have been extended to infinite words with limit averaging or supremum as value 
function mini ei. While weighted automata over semirings can express several quantitative properties lf25l . 
they cannot express the following basic quantitative properties. 

Example 1. Consider infinite words over { r, g. i }, where r represents requests, g represents grants, and i rep¬ 
resents idle. A first basic property is the long-run average frequency of r ’s, which corresponds to the average 
workload of a system. A second interesting property is the average number of i’s between a request and the 
corresponding grant, which represents the long-run average response time of the system. 

While weighted automata with limit-average as value function can express the average workload property 
(which weighted automata over semirings cannot express), perhaps surprisingly, they are not capable of expressing 
the long-run average response time. To see this, notice that the value of a weighted automaton with limit-average 
value function is bounded by the maximal weight that occurs in the automaton, whereas the long-run average 
response time can be unbounded. However, long-run average response time can be computed if the sum value 
function can be applied between requests and subsequent grants, and the values of the sum function can be aggre¬ 
gated using limit-average function. Such a mechanism can be expressed naturally by an extension of weighted 
automata, called nested weighted automata, which we introduce in this paper. 

A nested weighted automaton consists of a master automaton and a set of slave automata. The master au¬ 
tomaton runs over an infinite word, and at each transition of the infinite run, it may invoke a slave automaton that 
runs over a finite subword of the infinite word, starting from the position where the master automaton invokes the 
slave automaton. Each slave automaton terminates after a finite number of steps and returns a value to the master 
automaton. To compute its return value, each slave automaton is equipped with a value function for finite words, 
and the master automaton aggregates all return values using a value function for infinite words. While in the case 
of Boolean finite automata, nested automata are no more expressive than their non-nested counterpart, we show 
that the class of nested weighted automata is strictly more expressive than non-nested weighted automata. For 
example, with nested weighted automata, the long-run average response time of a word can be computed, as in 
the following example. 

Example 2. In Example\J]there is only a single type of request and grant, but in general there can be multiple 
types of requests and grants, and the intervals between requests and corresponding grants for different requests 
may overlap. Using a nested weighted automaton, the average response time can be specified across all requests. 
We illustrate this for two types of requests and corresponding grants. The input alphabet is {r i, c/i, r 2 , 32 , *}• ^t 
every request r\ (resp. r 2 ) the master automaton spins off a slave automaton Si (resp. S 2 ) with a sum value 
function, which counts the number of idle events to the next corresponding grant g\ ( resp. < 72 )- Observe that many 
slave automata may run concurrently. Indeed, for the word (V"r??< 7152 )^, at all positions with the letter g\ there 
are 2 • n slave automata that run concurrently. The master automaton with limit-average value function then 
averages the response times returned by the slave automata. 

Our contributions are three-fold. First, we introduce nested weighted automata over infinite words (Section0, 
which is a new formalism for expressing important quantitative properties, such as long-run average response time, 
which cannot be specified by non-nested weighted automata. 

Second, we study the decidability and complexity of emptiness, universality, and inclusion for nested weighted 
automata. We present an almost complete decidability picture for several natural and well-studied value functions. 

• On the positive side, we show that if the value functions of the slave automata are max, min, or bounded sum, 
then the decision problems for nested weighted automata can be reduced to the corresponding problems for 
non-nested weighted automata. Moreover, we show that if the value function of the master automaton is 
limit average and the value function of the slave automata is non-negative sum (i.e., sum over non-negative 
weights), which includes the long-run average response time property, then the emptiness question is de¬ 
cidable in exponential space. Along with the decidability results, we also establish parametric complexity 
results, that show that when the total size of the slave automata is bounded by constant (which is the case 
for average response property), then for all decidability results the complexity matches that of Boolean 
non-nested automata (see Remark l23l>. The decidability proof is obtained by establishing certain regularity 
properties of optimal runs, which can be used to reduce the problem to the emptiness question for non-nested 
weighted automata with limit-average value function. 

• On the negative side, we show that even for deterministic nested weighted automata with sup value function 
for the master automaton and sum value function for the slave automata, the emptiness question is undecid- 
able. This result is in sharp contrast to non-nested weighted automata, where the emptiness and universality 
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questions are always decidable for deterministic automata, and the emptiness question is decidable also for 
non-deterministic sup and sum automata. 

Our results are summarized in Table Q] and Table [2] (in Tableland Table [4] for parametric complexity results) in 
Section l4~4l 

Third, nested weighted automata provide a convenient formalism to express quantitative properties. In the 
Boolean case, monitor automata offer a natural compositional way of specifying complex temporal properties (26), 
and nested weighted automata can be seen as a quantitative extension of monitor automata. Each monitor automa¬ 
ton tracks a subproperty (which corresponds to a slave automaton in our formalism), and the results of the monitor 
automata are combined by another monitor automaton (which corresponds to the master automaton in our formal¬ 
ism). 

• A key advantage of the monitor-automaton approach is that it allows complex specifications to be decom¬ 
posed into subproperties, which eases the task of specification. Our nested weighted automata enjoy the 
same advantage: e.g., for long-run average response time, each slave automaton computes the response time 
(as a sum automaton) of an event, and the master automaton averages the response times. Formally, we show 
that deterministic nested weighted automata can be exponentially more succinct than non-deterministic 
weighted automata even when they express the same property (Theoreml25l). Moreover, monitor automata 
are used heavily in run-time verification |2()fl . Hence our framework can also be seen as a first step towards 
quantitative run-time verification, where the slave automata return values of subproperties, and the master 
automaton (assuming a commutative value function) computes on-the-fly an approximation of the value. 

• More importantly, for Boolean properties monitor automata simply provide a more convenient framework 
for specification, as they are equally expressive as standard automata, whereas we show that nested weighted 
automata are strictly more expressive than non-nested weighted automata (e.g., long-run average response 
time, which cannot be expressed using non-nested weighted automata, can be expressed using nested 
weighted automata. 

In other words, we provide a natural combination of weighted automata (for quantitative properties) and nesting 
of automata (for ease of expressiveness), and as a result obtain a more expressive, elementarily decidable, and 
convenient quantitative specification framework. 

Finally, we illustrate the applicability of nested weighted automata in several domains. (1) We show that the 
model-measuring problem of lf2Dl can be expressed in the nested weighted automaton framework (Section f5.2l >. 
The model-measuring problem asks, given a model and a specification, how robustly the model satisfies the speci¬ 
fication, i.e., how much the model can be perturbed without violating the specification. (2) As dual of the model¬ 
measuring problem, we introduce the model-repair problem and show that it, as well, can be solved using nested 
weighted automata (Section l573T> , The model-repair problem asks, given a specification and a model that does not 
satisfy the specification, for the minimal restriction of the model that satisfies the specification. We show that we 
need nested weighted automata in order to express interesting measures on models for the model-measuring and 
model-repair problems. 

In summary, we introduce nested weighted automata, which offer an expressive and convenient quantitative 
specification framework, and establish that the basic verification problems are decidable for several interesting 
fragments (which include the long-run average response time property). While there exist many frameworks to 
express quantitative properties (that we discuss in details in Section [7}, there exists no framework (to the best of 
our knowledge) that can express the average response time property and admit algorithms with elementary time 
complexity for the basic decision problems. We present a framework (of nested weighted automata) that can 
express such basic system properties and have decidable algorithms with elementary complexity. 

The paper is a full version of lfl3l . 


2 Preliminaries 

Words. Given a finite alphabet E of letters, a finite (resp. infinite) word iu is a finite (resp. infinite) sequence of 
letters. For a word w and i , j G N, we define w[i\ as the i-th letter of w and w[i,j] as the word w;[i]ui[i-|-1] .. ,w\j\. 
We allow j to be oo for infinite words. For a finite word w, we denote by | w | its length; and for an infinite word 
the length is oo. 

Non-deterministic automata. A (non-deterministic) automaton A is a tuple (E, Q, Q o, S, F ), where E is the alpha¬ 
bet, Q is a finite set of states, Qo Q Q is a set of initial states, JCQxExQisa transition relation, and F C Q 
is a set of accepting states. 
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Runs. Given an automaton A and a word w, a run 7r = 7 r[ 0 ] 7 r[l]... is a sequence of states such that 7 r[ 0 ] G Q 0 
and for every i G {1,..., 1^1} we have (n[i — 1], iw[i], 7 r[i]) G 5. Given a word w, we denote by Run(tu) the set 
of all possible runs on w. 

Boolean acceptance. The acceptance of words is defined using the accepting states. A finite run 7r of length j + 1 
is accepting if 7 r[j] G F; and an infinite run 7r is accepting , if there exist infinitely many j such that 7r[j] G F. Let 
Acc(w) C Run(ry) denote the set of accepting runs. A word w is accepted iff Acc(mj) is non-empty. We denote 
by Ca the set of words accepted by A. 

Labeled and weighted automata. Given a finite alphabet T, a T-labeled automaton is an automaton whose transi¬ 
tions are labeled by elements from T. Formally, a F-lahclcd automaton A is a tuple (£, Q. Qo, 6, F, C) such that 
(£, Q. Q { y. 6, F) is an automaton and C : S 1 —>■ V. A weighted automaton is a F-labeled automaton, where L is a 
finite subset of rationals; and the labels of the transitions are referred to as weights. 

Semantics of weighted automata. To define the semantics of weighted automata we need to define the value of a 
run (that combines the sequence of weights of a run to a single value) and the value across runs (that combines 
values of different runs to a single value). To define values of runs, we will consider value functions f that assign 
real numbers to sequences of rationals. Given a non-empty word w, every run tt of A on w defines a sequence of 
weights of successive transitions of A, i.e., C(n) = (C(7r[i — 1], tu[i], 7r[i]))i<j<| UJ |; and the value /(7r) of the run 
7r is defined as f(C( tt)). We will denote by (G7(7r))[z] the cost of the i- th transition, i.e., C(x[i — 1], w[i], 7r[*]). 
The value of a non-empty word w assigned by the automaton A, denoted by £a(w), is the infimum of the set of 
values of all accepting runs; i.e., inf^gAcct™) /( tt), and we have the usual semantics that infimum of an empty set 
is infinite, i.e., the value of a word that has no accepting runs is infinite. Every run 7 r on an empty word has length 
1 and the sequence C(tt) is empty, hence we define the value f(i r) as an external (not a real number) value _L. 
Thus, the value of the empty word is either _L, if the empty word is accepted by A, or 00 otherwise. To indicate a 
particular value function / that defines the semantics, we will call a weighted automaton A an /-automaton. 
Types of automata. A weighted automaton is 

• deterministic iff Qq is singleton and the transition relation is a function; and 

• functional iff for every word w, all accepting runs on w have the same value. 

Value functions. We will consider the classical functions and their natural variants for value functions. For finite 
runs we consider the following value functions: for runs of length n + 1 we have 

1. Max and min: 

• Max( 7 t) = max”_ 1 (C'( 7 r))[i] and 

• Min( 7 t) = min”_ 1 (C'( 7 r))[i]. 

2. Sum and variants: 

• the sum function Sum( 7 t) = ^" =1 (C( 7 r))[i], 

• the absolute sum Sum + ( 7 t) = Abs((C( 7 r))[i]) is the sum of the absolute values of the weights 

(Abs denotes the absolute value of a number), and 

• the bounded sum value function returns the sum if all the partial absolute sums are below a bound B , 
otherwise it returns the bound B, i.e., formally, Sum 5 (77) = Sum( 7 t), if for all prefixes 7of 7 r we 
have Abs(SUM( 7 r')) < B, otherwise B. 

We denote the above class of value functions for finite words as FinVal = {Max, Min, Sum, Sum + , Sum 5 }. 

Although, the absolute sum value function Sum + can be equivalently expressed by Sum restricted to the 
class of weighted automata with non-negative weights, we consider SUM and SUM + separately, as the resulting 
automata differ in complexity results. 

For infinite runs we consider: 

1. Supremum and Infimum, and Limit supremum and Limit infimum: 

• Sup( 7 t) = sup{(C( 7 r))[?'] : i > 0 }, 

• Inf( 7 t) = inf{(C'( 7 r))[/] : i > 0 }, 

• LimSup( 7 t) = limsup{(C'( 7 r))[i] : * > 0 }, and 

• LimInf( 7 t) = lim inf{((7(77))[*] : i > 0 }. 

2. Limit average: LimAvg( 7 t) = limsup j; ■ X^t=i(^'( 7r ))[*]• 

k—f 00 

We denote the above class of value functions for infinite words as InfVal = 
{Sup, Inf, LimSup, LimInf, LimAvg}. 
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Decision questions. We consider the standard emptiness and universality questions. Given an /-automaton A and 
a threshold A, the emptiness (resp. universality ) question asks whether there exists a non-empty word w such that 
Ca(w) < A (resp. for all non-empty words w we have Ca{w) < A). We summarize the main results from the 
literature related to the decision questions of weighted automata for the class of value functions defined above. 

Theorem 3. (1) The emptiness problem is decidable in polynomial time for all value functions we consider [18 
125/ (2) The universality problem is undecidable for SUM -automata with { — 1,0,1} weights and LimAvG- 
automata with (0,1} weights; and decidable in polynomial space for all other value functions £/] [75] |S| [23/. 
(3) The universality problem is decidable for all value functions for deterministic and functional automata m i 


3 Nested Weighted Automata 

In this section we introduce nested weighted automata. We start with an informal description. 

Informal description. A nested weighted automaton consists of a labeled automaton over infinite words, called the 
master automaton, a value function /, and a set of weighted automata over finite words, called slave automata. 
A nested weighted automaton can be viewed as follows: given an infinite word, we consider a run of the master 
automaton on the word, but the weight of each transition is determined by dynamically running slave automata; 
and then the value of a run is obtained using the value function /. That is, the master automaton proceeds on an 
input word as a usual automaton, except that before it takes a transition, it starts a slave automaton corresponding 
to the label of the current transition. The slave automaton starts at the current position of the word of the master 
automaton and runs on some finite part of the input word. Once a slave automaton terminates, it returns its 
value to the master automaton, which treats the returned value as the weight of the current transition that is being 
executed. Note that for some transitions the slave automaton runs on the empty word and returns _L; we refer to 
such transitions as silent transitions. A given run of a nested weighted automaton, which consists of a run of the 
master automaton and runs of slave automata, is accepting if it consists of accepting runs only. Finally, the value 
of an accepting run of the master automaton is given by / applied to the sequence of values returned by slave 
automata (i.e., to compute the value function the silent transitions are omitted). 

Nested weighted automata. A nested weighted automaton is a tuple A = {A ma s] f] 23i, ■ • •, 23^}, where A ma s is 
a {1,..., A:}-labeled automaton over infinite words (where labels are indices of slave automata), called the master 
automaton, / £ InfVal is a value function on infinite sequences, and '23 1 ...., 23;- are weighted automata over 
finite words, called slave automata. 

Semantics: runs and values. Let w be an infinite word. A run of A on w is an infinite sequence (II, 7Ti, 7r2,...) 
such that (i) II is a run of A m as on in; (ii) for every i > 0 we have 7 it is a run of the automaton < Bc , (n[i-i],tu[i].n[i])> 
referenced by the label C(H[i — 1], w [7], II[7]) of the master automaton, on some finite subword w[i, j] of w. The 
run (II, 7Ti, 7T2,.. •) is accepting if all runs II, 7Ti, 772 ,... are accepting (i.e., II satisfies its acceptance condition and 
each 7Ti, 7T2,... ends in an accepting state) and infinitely many runs of slave automata have length greater than 1 
(the master automaton takes infinitely many non-silent transitions). The value of the run (II, 7Ti, 7t2,...) is defined 
as si I (/") (v(7ri) v( 7T2 ) ...), where v(ni) is the value of the run 7in the corresponding slave automaton and sil(/) is 
the value function that applies / on sequences after removing _L symbols. The value of a word w assigned by the 
automaton A, denoted by CA'w), is the infimum of the set of values of all accepting runs. We require accepting 
runs to contain infinitely many non-silent transitions because / is a value function over infinite sequences, so we 
need the sequence v{'K\)v{'K 2 ) ■ ■ ■ with _L symbols removed to be infinite. 

Notation. Let /, g be value functions. We say that a nested weighted automaton A = {Amas] h] 23i,..., *8*,) is 
an (/; //-automaton iff h = / and 23i,..., 23/,. are //-automata (weighted automata over finite words with value 
function g). We illustrate the semantics of nested weighted automata with examples. 

Example 4 (Stuttering). Consider the nested weighted automaton A} (u = (-4^ as ; LimAvG; 23i, 2 * 2 ) where each 
slave automaton is a SUM + -automaton. The automaton Am as has a single state and two transitions {qo,a,qo) 
labeled by 1 and (qo, b , qo) labeled by 2. The slave automaton 23i accepts words from a*b and assigns to a word 
a k b value k. The automaton 232 accepts words from b*a and assigns to a word b k a value k. 

Consider a word {aaabA. A run of A} (u on (aaabA is depicted in Figure\T\ The value of the word is 
Note that A \ tu accepts only words with infinite number ofa’s and b’s, as otherwise, some slave automaton would 
not terminate. For word w = ( a n b) u the value is (IliAIili -f 1 ) • ^-L-, and this shows that the nested weighted 
automaton can return unbounded values (in contrast to a LimAvG -automaton whose range is bounded by its 
maximal weight). Consider the automaton A^ tu = { *4/ las ; LimAvG; 23i, 232 * * 83 ). where *83 has only a single 
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state, which is accepting, and it has no transitions. Thus, IB 3 accepts on the empty word and invoking it is a way 
for A^ las to take a silent transition. Intuitively, each slave automaton counts how many times a given letter occurs. 
Thus the value computed by the nested weighted automaton is the average letter repetition (or average stuttering). 
Silent transitions, produced by calling the automaton * 83 , enable A%_ as to compute average only over positions 
where a new block starts. 

Example 5 (Average response time). Consider the specification for average response time defined as follows: we 
consider words for the alphabet {r,g,i}, where r denotes a request, g denotes a grant, and i denotes idle (no 
request or grant). Consider a word w, and a position j, such that u>[/] is a request, and then the response time 
in position j is the distance to the closest grant, i.e., the response time is j' — j where j' > j is the least number 
greater than j with rt>[/'] = g. The average response time is the limit-average of the response times of the requests. 
Consider a nested weighted automaton, with one slave automaton that has sum of non-negative weights as the 
value function, and the master automaton with limit-average value function. The master automaton for every 
letter r invokes the slave automaton, and for g and i takes a silent transition (i.e., it is a single state automaton 
with r labeled as 1, and g and i labeled as 2). The slave automaton (81 counts the number of steps till the first g 
and the slave automaton (82 accepts only the empty word, which is used to produce silent transitions. The nested 
weighted automaton specifies the average response time property. As discussed in Section [7] since the average 
response time can be unbounded, it cannot be expressed by a non-nested limit-average automaton, whose value is 
bounded by the maximal weight that occurs in it. 

Equivalence with weighted automata. We say that a 
nested weighted automaton A and a weighted automa¬ 
ton A are equivalent iff their values coincide on each 
word, i.e., for all w £ £“ we have Ca(vj) = Ca(w). 

Determinism of nested weighted automata. There are 
two reasons why a nested weighted automaton may be 
non-deterministic. The first one is standard: one of 
the components, the master automaton or one of the 
slave automata is non-deterministic. The second one 
is more subtle: it is the termination of slave automata. 

To accept, a slave automaton has to terminate in an ac¬ 
cepting state, but it not need to be the first time it visits 
an accepting state. It can run longer to compute a dif¬ 
ferent value. However, if the language C recognized 
by the slave automaton is prefix-free, i.e., w £ £ im¬ 
plies that no extension of w belongs to C, then it has 
to terminate once it reaches an accepting state because 
it will have no other chance to accept. This intuition suggests the following definition. 

Types of nested weighted automata. A nested weighted automaton is deterministic iff the master automaton and all 
slave automata are deterministic and each slave automaton recognizes a prefix-free language. A nested weighted 
automaton is functional iff for every word w, each accepting run on w has the same weight. 

We will consider the decision questions of emptiness and universality for nested weighted automata. 
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Figure 1: The master automata (a) A l rnas , (b) Al^ os , 
(c) the slave automaton 53 1 , (d) a run of the nested 
weighted automaton A) tu . 


4 Decision Problems 

In this section we study the decidability and complexity of the decision problems for nested weighted automata. 
We start with some simple observations. 

Simple observations. Note that the emptiness (resp. universality) of /-automata and ^-automata reduces to the 
emptiness (resp. universality) of (/; g)-automata: by simply considering dummy master or dummy slave au¬ 
tomata. Hence by Theorem[3]it follows that the universality problem for (/; g)-automata is decidable only if the 
universality problem is decidable for /-automata and ^-automata. 

Theorem 6 . (1) For f £ InfVal, the universality problem for (/; SUM )-automata is undecidable. (2) For g £ 
FinVal, the universality problem (LimAvG; g)-automata is undecidable. 
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Proof of (1) from Theorem \6\ We show a reduction of the universality problem for SUM-automata with weights 
{ — 1,0,1}, which is undecidable (Theorem[3}, to the universality problem for (/; SUM)-automata, where / £ 
{Inf, Sup, LimInf, LimSup}. The case / = LimAvg follows from (2). 

Let A be a SUM-automaton with weights { — 1,0,1}. Consider an (INF; SUM)-automaton A that works as 
follows. Its acceptance condition enforces that it accepts only words with infinitely many fi letters, i.e., the 
words the form wi#W 2 # ■ • ■ ■ At each letter the master automaton starts an instance of A as a slave au¬ 
tomaton that works to the successive fi letter. On the positions with a letter different than fi, the master au¬ 
tomaton takes a silent transition. Then, the value of a word w-\ fiw-ijj ... is equal to the infimum of values 
In particular, £a((w’#) w ) = Ca(w). Since for every word w\■ ■ ■ there exists i such that 
C&{wifj'W 2 fi ...) = CxHwijf)^), the universality problems for A and A coincide. 

The same construction shows a reduction of the universality problem for SUM-automata to the universality 
problem for (LimInf; SUM)-automata (resp. (SUP; Sum)- automata, (LimSup; SUM)-automata). □ 

Proof of (2) from Theorem \6\ For every g £ FinVal we can define two dummy (/-automata, Aq (resp. Ai) that 
immediately accept and return the value 0 (resp. 1). Therefore, such (LimAvg; (/{-automata can simulate all 
LlMAvG-automata with weights 0,1, whose universality problem is undecidable (Theorem [T|. Therefore, the 
universality problem for (LimAvg; (/{-automata is undecidable as well. □ 

In the decidable cases, the lower bound for the emptiness and the universality problems is PSPACE. Recall, 
the finite automata intersection problem, which asks, given a set of deterministic finite automata, is there a finite 
word accepted by all of them, is PSPACE-complete l22l . That problem can be reduced to the emptiness problem 
of deterministic nested weighted automata. This implies PSPACE-hardness of the emptiness problem for deter¬ 
ministic nested weighted automata. Moreover, for deterministic nested weighted automata, the emptiness problem 
can be reduced to the universality problem. Therefore, the universality problem for deterministic nested weighted 
automata is also PSPACE-hard. 

Proposition 7. For all f £ InfVal and g £ FinVal, the emptiness (resp. the universality) problem for deterministic 
nested weighted automata is PSPACE-hard. 

Proof. Let Ai,. ■ ■, A„ be deterministic finite automata over the alphabet £. First, we modify each of them to 
obtain A \,..., A* over £ U {#, $} such that jj, $ ^ £ and for every i £ {1,..., n} we have A* accepts u 
iff u = fi k w% and A, accepts w. Observe that A\,.... A), recognize prefix-free languages. Then, we define 
a nested weighted automaton whose slave automata are AI ,..., A* and the master automaton recognizes the 
language (# n {a, &}*$)“. The master automaton invokes all slave automata on successive letters. Thus, for 
a word jfi rl wi§ffi n W 2 § ... to be accepted, the slave automaton A\ has to accept the words jj n wi%, fi n W 2 $, • ■ -, 
A% has to accept the words • ■ - and so on. It follows that the nested weighted automaton 

accepts the language jf n wi%jf n W 2 % ■ ■ ■ such that all words w±,W 2 are accepted by all automata Ai, ■ ■ ■ ,A n - 
Therefore, the nested weighted automaton accepts any word iff there exists a finite word accepted by all automata 
Ai ,..., A n . The nested automaton defined as above is deterministic. □ 

4.1 Regular Weighted Slave Automata 

We present a general result that ensures decidability for the decision problems for a large class of nested weighted 
automata. We now consider slave automata that can only return values from a bounded domain, and present 
decidability results for them. 

Definition 8 (Regular weighted automata). Let A be a weighted automaton over finite words. We say that the 
weighted automaton A is a regular weighted automaton iff there is a finite set {qi ...., q n } C Q and there are 
regular languages Ci ,..., C n such that 

(i) every word accepted by A belongs to Ui<j< n a,u 1 

(ii) for every w £ Ci, each run of A on w has the weight q t . 

Remark 9. Regular weighted automata define the class of are equivalent to recognizable step functions mi- 
However, we (implicitly) require regular languages Ci ,..., C n to be disjoint, whereas the value of a recognizable 
step function at a word w is defined as the minimum qi £ {qi ,..., q n } among such i’s that w belongs to Ci. 

We define the description size of a given regular weighted automaton A, as the size of automata Ai ,..., A n 
recognizing languages C \,..., C n that witness A being a regular weighted automaton. 
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Regular value functions. A value function / is a regular value function iff all /-automata are regular weighted 
automata. Examples of regular value functions are Min, Max, S UM l! . Observe that the description size of a Min, 
Max and SUM ^"-automaton A is polynomial in ul|, but it is exponential in the length of binary representation of 
B , for a SUM B -automaton A. 

Key reduction lemma. In the following key lemma we establish that if the slave automata are regular weighted 
automata, then nested weighted automata can be reduced to weighted automata with the same value function as for 
the master automata. For regular weighted slave automata, a weighted automaton can simulate a nested weighted 
automaton in the following way. Instead of starting a slave automaton, the weighted automaton guesses the weight 
of the current transition (i.e., the value to be returned of the slave automaton) and checks that the guessed weight 
is correct. The definition of regular weighted automata implies that such a check can be done by a (non-weighted) 
finite automaton S. Thus, the weighted automaton takes a universal transition such that in one branch it continues 
its execution and in another it runs S. Observe that such a universal transition can be removed by a standard power- 
set construction. Given a value function /, recall that si I (/) is the value function that applies / on sequences after 
removing silent transitions. The following Lemma [TO] along with Theorem|3]implies TheoremfTOI 

Lemma 10 (Key reduction lemma). Let f £ InfVal be a value function. Consider a nested weighted automaton 
A = ( Amas'i /; © 1 ,..., ©fc) such that all automata ©i,..., ©& are regular weighted automata. There is a 
sil (/)-automaton A (weighted automaton), that can be constructed in polynomial space, which is equivalent to A; 
moreover, if A is functional, then A is functional as well. 

Proof. Assume that each slave automaton ©, has the weights from the set {— n,..., n}. Then, since all of the 
slave automata are regular weighted automata, for all* £ {1,..., A:} and j £ {— n,..., n} there is a deterministic 
finite word automaton Sij that recognizes the language of all words w such that ( w) = j. Since ©,; is a 
regular weighted automaton, it accepts precisely when one of the automata Si_o ,..., S, „ accepts. 

We define Qs (resp. Fs) as the disjoint union of the sets of states (resp. the sets of accepting states states) 
of all automata Sij. Let Q m (resp. F m ) be the set of all states (resp. all accepting states) the master automaton 
Amas■ We define a relation Step C 2® s x E x 2^ s , which is the union of transition relations lifted to sets 
of states, i.e., ({qr,..., q{\, a, {q [,..., q [}) € Step iff for every m £ {1,..., Z}, some automaton Sij has a 
transition (q m ,a,q' m ). 

We define A, which we show is equivalent to A, as a generalized Biichi automaton, which differs from an 
automaton over infinite words (Biichi automaton) in the acceptance condition. An acceptance condition in a gener¬ 
alized Biichi automaton is a sequence of f),..., F s of sets of states. A run is accepting iff for each d £ {1,..., s} 
there is a state from Fd visited infinitely often. There is a straightforward reduction of a generalized Biichi automa¬ 
ton to a Biichi automaton, and we omit the reduction and for technical convenience consider generalized Biichi 
condition for the proof. 

The automaton A works as follows. It simulates the execution of the master automaton. Every time the master 
automaton starts a slave automaton ©j, the automaton guesses the value j that ©,; returns and checks it, i.e., it 
starts simulating the automaton Sij, by including the initial state of S KJ in a set of states Pi. The automaton A 
maintains two sets of states of simulated automata. Pi and P 2 : states in Pi and P> represent states of Sij and 
basically, there are states in P 2 until all automata corresponding to them terminate. Once they do, P 2 is empty and 
all states from Pi are copied to P 2 . Intuitively, the role of Pi and P 2 is to ensure that each automaton terminates, 
by enforcing P 2 to be empty infinitely often. We now formally define A = (E, Q. go, C, 6, F) as follows: 

1. Q = Q m x ({—n,..., n} U {_L}) x 2 Qs x 2 Qs 

2 . go = (g™, 0, 0, 0), where g™ is the initial state of the master automaton 

3. ((g, j, Pi, Pf), a, (g', j', P(. Pf)) £ S iff (g, a, g') is a valid transition of the master automaton labeled by i 
and one of the following holds (intuitive descriptions follow): 

(a) j = _L, P[ = P[' \ F s , P 2 ' = P" \ F s , where Step(Pi, a, Pj') and Step(P 2 , a, Pf ), 

(b) j ^ _L, P 2 = 0, P{ = {go J } and P' 2 = P!f \ Fs, where Step(Pi, a, P!f) and gjj is the initial state of 
Sij, the automaton that checks that the slave automaton ©, started at the current position returns the 
value j, 

(c) j _L, P 2 ^ 0, P{ = (P{' U {(Jo 3 '}) \ F s and P^ = P'f \ F s , where Step(Pi, a, P{') and 
STEP(P 2 ,a,P2') 
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The intuitive descriptions are as follows: (a) the first transition corresponds to a silent transition, and hence 
we compute the successor states of sets P\ and P 2 and remove the accepting states (that correspond to 
automata that terminate); (b) the second transition is similar to the first case but here a new automaton that 
simulates the slave automaton is started, but since P 2 is empty we compute the next If from the successor 
of Pi according to Step but after removing the accepting states, and the new Pi is the initial state of the 
simulating automaton; and (c) the third transition is very similar to the first transition just that the initial 
state of the simulating automaton is added to the P[. 

4. the cost function is defined as C((q, j, Pi, P 2 }, a, (q 1 ,j ', P{, P 2 }) = j', 

5. F consists of Pi = F m x ({— n ,..., n}U{_L}) x2® s x2® s andP 2 = Q m x ({—re,..., re}U{_L}) x2® s X0. 
Intuitively, Pi ensures that the acceptance condition of the master automaton is satisfied and P 2 ensures that 
P 2 is empty infinitely often. 

The correctness follows from the construction. □ 

The automaton A in Lemma flOl is constructed in polynomial space, which means that A can be represented 
implicitly, i.e., its exponential-size set of states is represented in a compact way and for each transition triple 
(q. a, q') one can compute in polynomial time whether that triple is a transition of A and what is its weight. 

Remark 11. The automaton A from Lemma \1()\ has exponential size in |A|. More precisely, the size of A is 
exponential in the total size of slave automata of A, but only polynomial in the size of the master automaton of A. 

Proof The set of states of the automaton A from is Q = Q m x ({—n ,..., n} U {-L}) x 2® s x 2® s , i.e., it is 
linear in the size of the master automaton of A. Moreover, the weights of A are bounded by a constant re. Thus, 
A is polynomial in the size of the master automaton of A. □ 

Now, we show a simple lemma regarding weighted automata with silent moves. 

Lemma 12. Let f £ {Inf, Sup. LimInf, LimSup}. (1) The emptiness problem for sil (f)-automata is in 
NLOGSPACE. (2) The universality problem for s\\(f)-automata is in PSPACE. 

Proof Given a sil(/)-automaton A , where f £ InfVal, we define the automaton A 1 as the /-automaton that 
results from A by substituting each silent transition by a transition of the weight L Observe that for every sil(lNF)- 
automaton A for every infinite word w we have £_a(w) < A iff C A (\+ 1 > ( w ) < A. The same equivalence holds for 
every sil(Sup)-automaton A and its variant aF A- 1 F Thus, the emptiness and universality problems for sil(lNF)- 
automata (resp. sil(Sup)-automata) and iNF-automata (resp. Sup-automata) coincide. Now, a run of a sil(lNF)- 
automaton is accepting only if it contains infinitely many non-silent transitions. Therefore, the above equivalences 
hold for / £ {LimInf, LimSup} and the corresponding problems coincide. As the emptiness problem for /- 
automata is in NLogSpace we have (1). The universality problem for /-automata is in PSPACE, hence we have 
( 2 ). □ 

Finally, we are ready to prove theorem characterizing complexity of decision problem for newsted weighted 
automata whose slave automata are {Min, Max, Sum 3 }. 

Theorem 13. Let g £ {Min, Max, Sum 3 }. The following assertions hold: (1) Let f £ 
{Inf, Sup, LimInf, LimSup}. The emptiness problem for non-deterministic (f;g)-automata is PSpace- 
complete. The universality problem for non-deterministic (/; g)-automata is PSPACE -hard and in ExpSpace. 
(2) The emptiness problem for non-deterministic (LimAvG; g)-automata is PSPACE -complete (3) The universality 
problem for functional (LimAvG; g)-automata is PSVACE-complete. 

Proof. PSPACE-hardness in (1), (2) and (3) follows from Proposition!?] We will discuss containment separately: 

(1): Let / £ {Inf, Sup, LimInf, LimSup} and g £ {Min, Max, Sum 3 }. Due to Lemma ITOl every ( f;g)- 
automaton A is equivalent to some sil (/)-automaton A! of exponential size in _4|. By Lemma fl2l the emptiness 
problem for sil(/)-automata is in NLogSpace. The construction from LemmaflOl implies that the automaton A! 
can be represented implicitly, i.e., given two states q , <f the existence and weight of the transition (</, a, (/) can be 
decided in polynomial time. Therefore, the emptiness problem for (/; (y)-automata is in PSPACE. 

By Lemma fl2l and the universality problem for si I (/)-automata is in PSPACE and Al' is of exponential size 
in |Al|, hence we have the universality problem for (/; 9 )-automata is in ExpSpace. 
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(2) : LemmalTOlstate that (LimAvG; g)-automata are equivalent to sil(LlMAvG)-automata, which enjoy decid¬ 
ability of the emptiness problem (Lemma [35l> in NLogSpace. As in (1), the automaton A' can be represented 
implicitly, hence the emptiness problem for (LimAvG; p)-automata is in PSPACE. 

(3) : The universality problem for functional (LimAvG; p)-automata reduces to the emptiness problem for 

functional (LimAvG; g)-automata. It suffices to (1) first check that every word has an accepting run, which can be 
done in polynomial space, (2) construct a (LimAvG; pj-automaton A' by taking additive inverses of all weights in 
all slave automata of a given nested weighted automaton. The automaton A satisfies the universality problem with 
threshold A iff it satisfies (1) and the automaton A' from (2) does not satisfy the emptiness problem with threshold 
—A. Therefore, the universality problem for functional (LimAvG; p)-automata is in PSPACE. □ 

Remark 14. Assume that the total size of slave automata is bounded. Then, by Remark [77] the size of the 
automaton A is polynomial in the size of the master automaton of a given nested automaton. In consequence, the 
emptiness problem for automata from (1) and (2) from Theorem U 3\ becomes PTlME and the universality problem 
for automata from (1 )from Theorem \l 3\ becomes PSPACE -complete. 

Theorem[l3l covers the case for all classes of slave automata other than Sum- and SUM + -automata, which we 
consider in the following two subsections. 

4.2 Undecidability Results for Slave Sum Automata 

In this section we study (/; Sum) -automata and we present a crucial negative result. 

Note that for weighted automata with the value function from FinVal or InfVal, the emptiness problem is 
decidable (for non-deterministic automata); and all decision problems are decidable for deterministic automata. 
In sharp contrast we establish that for deterministic (SUP; SUM)-automata the emptiness problem is undecidable. 
The proof is a reduction from the halting problem of a two-counter (Minsky) machine to the emptiness problem. 
The key idea is to ensure that words that encode valid computations of the Minsky machine have value 0; and 
all invalid computations have value strictly greater than 0. Basically, we need to check consistency of values of 
each counter at each step, which is done as follows. The task of the master automaton is to ensure that tests on 
the counters Co, C\ are consistent. The master automaton uses several slave automata to track the exact values of 
the counters. Each slave automaton operates on an alphabet which is increment and decrement for the counters 
Co, ci, as well as zero and positive test, and for each counter we have three slave automata. For positions i < j, 
let co-balance (resp. ci-balance) between position i and j denote the difference in the number of increments and 
decrements of the counter co (resp. ci) between i and j. For zero tests of a counter, two slave automata are invoked: 
the first automaton (resp. second automaton) increments (resp. decrements) with every increment operation on 
the counter and decrements (resp. increments) with every decrement operation on the counter and terminates with 
the value at the position of the next zero test. Intuitively, the two automata compute co-balance and the opposite 
(the additive inverse) of co-balance between two consecutive zero tests. Given the zero test of the current position 
is satisfied, both automata return zero iff the next zero test is also satisfied, otherwise one of them return a positive 
value. For positive tests of a counter we use the third slave automaton to compute the co-balance plus 1 between 
the current position and the next zero test of cq. The co-balance plus 1 does not exceed zero iff the value of co at 
the current position is positive. We repeat a similar construction for c\. The construction of slave automata does 
not depend on the given two-counter machine, therefore the reduction works even in the presence of a constant 
bound on the size of slave automata. 

This establishes the undecidability for emptiness of (SUP; SUM)-automata, and the proof also holds for 
(LimSup; SUM)-automata. Also observe that since we establish the result for deterministic automata, we can 
take opposites of weights and change SUP (resp. LimSup) to Inf (resp. LimInf) and the emptiness problem to 
the universality problem. 

Theorem 15 (Crucial undecidability result). (1) The emptiness problem for deterministic (SUP; Sum)- and 
(LimSup; S\JM)-automata is undecidable. (2) The universality problem for deterministic (lNF;SUM)- and 
(LlMlNF; Sum )-automata is undecidable. 

Proof of (1) from TheoremU~5\ Given a Minsky machine M, we construct a deterministic (SUP; SUM)-automaton 
A that accepts infinite words of the form Moreover, the value of the word ... is 0 iff each 

subword encodes a valid accepting computation of M. As the problem, given a Minsky machine, does it have 
an accepting computation is undecidable, we conclude that the emptiness problem for deterministic (SUP; Sum)- 
automata (resp. (LimSup; SUM)-automata) is undecidable. 
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A Minsky machine M. is a finite automaton augmented with two counters Ci,C 2 . The counters can be in¬ 
cremented, decremented and tested whether they are zero or positive. The transitions of M depend on the 
values of counters, namely, whether they are equal zero. That is, each transition has the following form 
{q,s,t) -> (q',vi,V 2 ), where s € {ci = 0, Ci > 0}, t € {C 2 = 0, C 2 > 0} and v\, t > 2 6 {-1,0,1}. E.g. 
(q, Ci = 0 , c 2 > 0 ) —»• (q', + 1 , — 1 ) means that if the machine is in the state q, the value of ci is 0 and c 2 greater 
than 0 , then the next state is q', Ci is incremented and c 2 is decremented. 

We define two notions for Minsky machines, a run and a computation. A run of a Minsky machine A4 is a 
sequence ( qo , 0 , 0 ), (q±, a±, f3\) : ..., (q n , a n , f3 n ) such that for every i < n there is a transition of M. (q i; s, t) —> 
(q-i+i , V\. t> 2 ) such that a,; satisfies s, Pi satisfies t, and a, + i = on+v\, Pi+i = /?i+u 2 . A run is accepting iff its last 
element is (qp, 0, 0). A computation of Ai is a sequence of elements Q x {ci = 0, Ci > 0} x {c 2 = 0, c 2 > 0} x 
{ —1,0,1} x { — 1,0,1} called configurations. A computation (q 0 , ci = 0, c 2 = 0, 0,0), {qi,si,ti,%i,yi), ..., 
(q n , Ci = 0, c 2 = 0 , x n ,y n ) is valid iff there is an accepting run (q 0l 0 , 0 ),..., (q n , a n , /3 n ) such that for every 

i e {0,..., n}, OLi = Y?j=o x 3 and Pi = Y!j =0 Vi- 

Consider a valid computation rj and the corresponding accepting run 7 r. For positions i < j, let ci -balance 
(resp. C 2 )-balance between position i and j (in 77 ) denote the difference in the number of increments and decre¬ 
ments of ci (resp. c 2 ) between i and j. Since the initial value of the counters is 0, the value of a counter ci (resp. 
c 2 ) in 7 t[z] is precisely its ci-balance (resp. C 2 -balance) between positions 1 and i. Thus, forp € {1, 2}, a zero test 
(non-zero test) of c p at the position i is valid iff c p -balance between positions 1 and i is 0 (is strictly positive). 

Consider a computation 77 of a Minsky machine A4. If it is invalid then there is a first position in 77 such that 
the corresponding sequence over Q x N x N is not a run. There are two possible reasons for that: (i) A4 has 
no transition consistent with a step from r/[i] to 77(7 + 1 ] , (ii) the configuration at r/[i] is inconsistent with the 
current values of Ci, c 2 , i.e., a zero or a non-zero test is inconsistent with the actual value of a counter. A Boolean 
automaton can check whether the computation is invalid because of (i). We show how to check (ii), i.e., validity 
of zero and non-zero tests, using a nested weighted automaton. 

Let p £ {1,2}. First, we check validity of zero tests on c p . All zero tests on c p are valid iff c p -balance 
between any two consecutive zero tests is zero. To check that this holds, the nested weighted automaton starts 
at each position i with a zero test two deterministic slave SUM-automata: _ 0 ,_4.“_ 0 . The automaton A+ 1=0 

computes c p -balance between i and the next zero test of c p ; it increments (decrements) its value whenever c p is 
incremented (decremented), and it terminates at the next zero test of c p . The automaton Af =0 does the opposite, 
i.e., it computes the additive inverse of c p -balance between i and the next zero test of c p . The values of these 
automata are inverses of each other and the maximum of their values is the absolute value of c p -balance. Hence, 
the maximum of their values is less-or-equal to zero iff c p -balance between i and the next zero test of c p is 0. Thus, 
the values of all slave automata A^ =0 , Af =0 are less-or-equal to zero if and only if all zero tests of c p are valid. 

Second, we check that non-zero tests are valid. To do that, the automaton starts at every position i with a 
non-zero test a third slave SUM-automaton A Cl >0 that first increments its value to 1 and then computes c p -balance 
between i and the next zero test of c p . The value of c p at the position i is strictly greater than 0 iff c p -balance 
between the position i and the next position at which c p is 0 does not exceed —1. Provided that verifying zero 
tests succeeds, the value of „4 Cl >o is less-or-equal to 0 iff the non-zero test at the position i is valid. 

The value of the nested weighted automaton does not exceed 0 if and only if the values of all slave automata 
are less-or-equal to 0, which holds precisely when all zero and non-zero tests on c p are valid. In the above 
construction up to four automata has to be started at any configuration, while nested weighted automata can start 
at most one slave automaton at each step. However, we can encode configurations by some fixed number of letters. 
E.g. c $ $ $ $ where c is a letter that fully encodes a configuration ( q , a, /3, x, y) and $ letters are used only to start 
enough slave automata. It follows that A accepts a word tui#t/; 2 # ■ • ■ and assigns it the value 0 iff each word Wi 
encodes an valid accepting computation of ,/Vf. 

Observe that the same automaton. A, considered as (LimSup; SUM)-automaton returns the same result. In¬ 
deed, if a given Minsky machine does not have an accepting computation, each accepted word will have posi¬ 
tive value. On the other hand, if there is an accepting computation w, the value of (SUP; SUM)-automata and 
(LimSup; SUM)-automata the word ( 7 uff) u coincides, hence it is 0. □ 

Proof of (2) from Theorem\T5\ The universality problem for deterministic (INF; SUM)-automata is the dual of 
the emptiness problem for deterministic (SUP; Sum)- automata. Indeed, consider a deterministic (INF; Sum)- 
automaton A and the nested weighted automaton A' that results from taking inverses of all weights in A and 
changing its value function to Inf. One can easily check that for every word w, the weight of w assigned by A is 
x , then A' assigns to w the weight —x. □ 
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4.3 Decidability Results for Slave Sum- and SUM + -Automata 

We now establish the remaining decidability results, namely, for slave automata with Sum + value function, and 
emptiness for (INF; SUM)-automata and (LimInf; SUM)-automata. In contrast to the reduction of LemmaflOl for 
example, (LimAvG; SUM + )-automaton cannot be reduced to weighted sil(LlMAvG)-automata (Example^. 
Intuitive proof ideas. For (/; SUM + )-automata, for / £ InfVal \ {LimAvg}, we show that the decision problems 
can be reduced to the bounded sum value function; and then derive the decidability results from TheoremQj] The 
reductions are polynomial in the size of the master automaton. For (INF; SUM)-automata we show the emptiness 
problem is decidable and the main argument is a reduction to the emptiness of non-deterministic weighted au¬ 
tomata with SUM value function. The constructed automaton is exponential in the size of a nested automaton, but 
only polynomial in the size of the master automaton, i.e., if the total size of slave automata and the threshold are 
bounded by a constant. We summarize the results in the following theorem. 

Theorem 16. (1) For f £ {Inf, LimInf}, the emptiness problem for (/; SUM )-automata is PS PACE-complete. 

(2) For f £ {SUP, LimSup}, the universality problem for functional (f- 1 SUM)-automata is PSPACE -complete. 

(3) For f £ {INF, Sup, LimInf, LimSup}, the emptiness problem for (/; SUM + )-automata is PSEACE-complete, 
and the universality problem for (/; S\JM + )-automata is PSPACE -hard and in ExpSpaCE. 

Proof of (1) from Theorem 17b] PSPACE-hardness follows from Proposition |T| For containment in PSPACE, let 
A = (Amas\ Inf; ©i, ..., *8 fc) be a nested weighted automaton (INF; SUM)-automaton. We construct a SUM- 
automaton over finite words A such that the emptiness problem for A and A coincide. The automaton A works 
over words over the alphabet E U {#, 1,... k} of the form wiv#u'#u, where w, v,u' ,u £ E* and i £ {1,... k}, 
and the value of its run, if it is accepting, is the value of the slave automaton 23, on the word v. The automaton 
A consists of two components. The first component A \, a Boolean one whose all weights are 0, ensures that A 
has an accepting run on wvu'u u such that the slave automaton started at the beginning of the word v is 23 , and 
23,: accepts the word v. The second component, A 2 , is a weighted one and it computes the value of 23, on v. 
Clearly, the size of A 2 is proportional to the size of 23,. Observe that the value of each run of A depends only on 
a finite prefix of a word, i.e., for each run of A there is a finite prefix wvu'u such that the value of that run equals 
C'A{wiv#u'#u). It follows that the emptiness problem for A and A coincide. The construction of A\ is similar 
to the construction from LemmaQI)] hence the emptiness problem for A = A \ x A 2 can be solved in polynomial 
space w.r.t. |A|. 

Assume that A is a (LimInf; Sum)- automaton. We carry out virtually the same construction of a SUM- 
automaton over finite words A. The automaton A accepts words wivjfu such that 23, accepts v and A has an 
accepting run on w(vu) u at which the slave automaton invoked at the positions w, wvu, ..., w(vu) k , ... is 23;. 
The value of A on an accepted word wivjfu is the value of 23; on v. It follows that if A has a run of value A on 
wiv#u, A has a run of the value A on w(vu) u . Conversely, if A has a run of the value A, there is a reachable 
state q of the master automaton A rn as of A and a slave automaton 23 , such that infinitely often A ma s in the state q 
invokes 23, which returns the value A. Thus, there are words v. u such that 23, on v returns the value A and A mr ,s 
upon reading vu returns to the state q. Moreover, there is a word w such that A„, as reaches q from the initial state 
upon reading w. Therefore, the value of w(vu) w in A is at most A. Hence, the emptiness problems for A and 
A coincide. Similarly to the (Inf, Sum + ) case, the emptiness problem for A can be solved in polynomial space 
w.r.t. |A|. □ 

Remark 17. The construction of A\ is similar to the construction from Lemma[ T0\ hence it is polynomial in the 
size of the master automaton. Therefore, the emptiness problem for (INF; SUM )-automata (resp. (LlMlNF; Sum)- 
automata) is in PTlME provided that the total size of slave automata is bounded. 

Proof of (2) from Theorem[l6\ PSPACE-hardness follows from Proposition [7] The universality problem for func¬ 
tional (INF; SUM)-automata (resp. (LimInf; SUM)-automata) reduces to the emptiness problem for functional 
(SUP; SUM)-automata (resp. (LimSup; SUM)-automata). It suffices to (1) first check that every word has an ac¬ 
cepting run, which can be done in polynomial space, (2) construct an automaton (INF; Sum (-automaton (resp. 
(LimInf; SUM)-automaton) A' by taking inverses of all weights in all slave automata of a given nested weighted 
automaton. The automaton A satisfies the universality problem with threshold A iff it satisfies (1) and the automa¬ 
ton A' from (2) does not satisfy the emptiness problem with threshold —A. Therefore, the universality problem 
for functional (INF; SUM)-automata (resp. (LimInf; SUM)-automata) is in PSPACE. □ 

Proof of (3) from Theorem\f6\ PSPACE-hardness follows from Proposition|7] 
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Let A be the threshold given in the emptiness (resp. universality) problem. Consider a (/; SUM s )-automaton 
A\ where B = A +1, obtained from A by changing each slave Sum + automaton '13 into S UM A+1 -automaton '13 A . 
Basically, such a SUM A+1 -automaton '13 A simulates runs of SUM + -automata by implementing a A + 1-bounded 
counter in its states Q x {0,..., A + 1}, where Q is the set of states of '13. If '13 accumulates the value above 
A, the automaton '13 A returns just A + 1, regardless of the actual value accumulated by '13. The automaton A a is 
polynomial in A, which can be exponential in the input size. Observe that for / £ {Inf, SUP, LimInf, LimSup}, 
for every word w, A has a run on w of the value not exceeding A threshold iff A a has. It follows that the 
emptiness (resp. universality) problem for (/; Sum + )- automata with threshold A reduces to the emptiness (resp. 
universality) problem for (/; SUM A+1 )-automata. Since Sum s is a regular value function. Lemma flOl states 
that for / £ {Inf, Sup, LimInf, LimSup}, a (/; SUM A+1 )-automaton A a is equivalent to a sil(/)-automaton A. 
Therefore, the emptiness (resp. the universality) problem for (/; SUM + /automata reduces to the emptiness (the 
universality) problem for sil(/)-automata. However, by employing Lemma ITOl we get A of the size exponential 
in | A a | and doubly-exponential in | A|. We show that the second exponential blow-up can be avoided. 

We show that there exists a sil(/)-automaton A~, equivalent to A of the exponential size in the input size. 
Infimum case. Let / £ {Inf, LimInf}. Original sil(/)-automaton A simulates runs of all slave automata of A a . 
The modified sil(/)-automaton A~ simulates only a single SUM A+l -automaton at the time, which is chosen non- 
deterministically. For remaining slave automata, only their non-weighted counterparts are simulated, i.e., SUM + 
automata from A with weights removed. Since / is infimum of limit-infimum value function, the automata A and 
A~ are equivalent. The cardinality of the set of states of A~ is 0(2l /l • |A| • B). Therefore, the size of A~ is 
exponential in the input size. 

Supremum case. Let / £ {Sup, LimSup}. Recall that the set of states of *B A is Q x {0,..., A + 1}, where Q is 
the set of states of 23. We obtain A~ from A, by imposing the following condition: (*) at every position k, if A~ 
simulates two runs 7r*, nj of 23 A that have states (g, wi) resp. (g, W 2 ) at position k, with w 1 > W 2 , A~ discards 
the run 7 tj (the one that has the state (g, w^))- Intuitively, the run 7 tj can be completed to an accepting run that 
accumulates lower value than 7 u, thus simulating it is redundant. We argue that A and A~ are equivalent. 

The A~ simulates only a subset of slave automata. Since its value function is sil(Sup) or sil(LlMSUP), for ev¬ 
ery word w, the value of A does not exceed the value of A. Conversely, consider an accepting run (n, 7ti , 772 , .. .) 
of A a on w. We can modify runs of slave automata 7ti, 7T2,... so that the modified run (n, 7 /, tt' 2 , ...) satisfies the 
following condition (**): at every position k in w, if runs 7 r,, 7 Tj have states (g, w 1 ), resp. (g, W 2 ) at the positions 
corresponding to k, then they accumulate the same value in the remaining part of of the run. One can achieve that 
by changing the suffix of the run that accumulates greater value to the suffix of the other run. Such an operation 
of substituting a prefix decreases the value, hence it can be executed finitely many times for each run, and it will 
not produce infinite runs of slave automata. Observe that the modified run is an accepting run of A a of the value 
not exceeding the value of (n, 711 , 712 ,...). 

Now, observe that for a run of A a satisfying (**), if runs 7 ^, 7 Tj have states ( q,wi ), resp. (q,W 2 ) at the 
positions k in w, with w 1 > u> 2 , the value of 7 ^ is greater than the value of 7 Tj, and the run ttj can be discarded. 
Such an operation corresponds to the condition (*) imposed by A~ . Therefore, the values of w assigned by A a , A 
and A~ are equal. 

The cardinality of the set of states of A~ is 0((|A| • S)I A I), which is exponential in the input size. 

The emptiness (resp. the universality) problem of a (/; Sum + / automaton A reduces to the emptiness (the 
universality) problem for sil(/)-automaton A~ of the exponential size in |A| + log(A). Hence, by Lemmafl2l for 
(/; SUM + )-automata, the emptiness problem is in PSPACE and the universality problem is in ExpSpace. □ 

Remark 18. Let / £ {Inf, LimInf, Sup, LimSup}. Assume that the threshold A is given in unary. Then, for 
(/; SUM + )-automata, the emptiness problem is in PTlME and the universality problem is PSPACE -complete. 

Proof. Let / £ {Inf, LimInf, Sup, LimSup}. Assuming that the threshold is given in unary and the total size 
of slave automata is bounded, the size of A~ is polynomial in the size of A. Therefore, the emptiness (resp., 
the universality) problem for (/; SlJM + (-automata reduce to the emptiness (resp., the universality) problem for /- 
automata. The emptiness problem for /-automata is in PTlME and the universality problem is PSPACE-complete. 
Hence, the result follows. □ 

Finally, we establish decidability of the emptiness problem with limit-average master automaton and Sum + - 
automata as slave automata. The key proof idea is to show that values of certain runs of (LimAvg; Sum + )- 
automata coincide with the values of non-nested limit-average automata, and those runs have values arbitrarily 
close to the infimum over values of all runs. This also allows us to show the decidability of the universality 
problem for functional (LimAvg; Sum + / automata. 
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Theorem 19. The emptiness problem for (LimAvG; Sum + )-automata is PSPACE -hard and in ExpSpace; and 
the universality problem for functional (LimAvG; SUM + f automata is PSPACE-hard and in ExpSpace. 

We present the proof of part (1) from Theoremfl5lin Section [ 6 ] In the following, we show the proof of part (2) 
from Theorem[l5l 

Observe that for a run of a functional nested weighted automaton, as long as the run is accepting, its value 
does not depend on the choices of transitions. Therefore, we will focus on the construction of an accepting run 
with the maximal value to compute the minimal threshold for the functionality problem. 

Lemma 20. Let A be a functional (LimAvG; Sum + )-automaton and let A be the value bounding weights in all 
slave automata of A. Then, one of the following holds: 

1. For every accepting run, there is a position so such that every slave automaton started after so accumulates 
the value not exceeding A • conf (A). 

2. The automaton A has an accepting run of infinite value (whose value exceeds every A > 0). 

Proof Assume that (1) does not hold. Then, there is an accepting run such that some slave automaton returns 
values that exceed the value A • conf(A) infinitely often. Observe that if a slave automaton 23 accumulates a 
value exceeding A • conf (A) during a run 7 r, then the nested weighted automaton A is in the same configuration 
at least twice during the run 7 r and meanwhile 25 increases its value. Therefore, one can pump the run of the 
nested weighted automaton to increase the value returned by 25. It follows that we can pump successively the 
run on A such that infinitely often the following holds: a slave automaton started at a position k accumulates the 
value exceeding k 2 . A run with such a property has an infinite weight according to the semantics LimAvg( 7 t) = 

limsupfc^ i ■ ELiCC'MM n 

Now, we are ready to prove decidability of the universality problem for functional (LimAvG; Sum + )- 
automata. 

Proof of (2) from Theorem\T5\ If (1) holds, A is equivalent to a functional (LimAvG; SUM S )-automaton A', 
where B = A • conf(A). The size of A' is exponential in |A|. The universality problem for functional 
(LimAvG; SUM s )-automata is PSPACE-complete, which implies the the universality problem for functional 
(LimAvG; Sum + ) -automata is in ExpSpace. Otherwise, if (2) holds, then an answer to the universality prob¬ 
lem for A is “No” for every A. Now, it can be detected whether (1) or (2) holds by reduction to the universality 
problem for functional (LimSup; Sum + ) -automata, which is PSPACE-complete. □ 

Remark 21. The size of A' is polynomial in the size of the master automaton of A. Therefore, the universaility 
problem is in PSPACE. The universality problem for functional SUM + -weighted automata is PSPACE-hard, hence 
the universality problem for (LimAvG; S\JM + )-automata is PSPACE -complete assuming that the total size of slave 
automata is bounded. 

4.4 Summary and Open problems 

While we have established the decidability and undecidability of the decision problems for nested weighted au¬ 
tomata for almost all cases, there is one open problem which we present as a conjecture. 

Conjecture 22. The emptiness problem for non-deterministic (LimAvG; Sum (-automata is decidable. 

Tables |T|and [ 2 ] summarize our results. 

Complexity. The decision problems are PSPACE-complete, in ExpSpace, or undecidable. We show in Theoreml25l 
that (deterministic) nested weighted automata are exponentially more succinct than (non-deterministic) weighted 
automata, which explains ExpSpace complexity of some universality problems. 

We present the proof of the emptiness case from Theorem[T9]in Section[6] 

Discussion on inclusion. The emptiness and universality problems reduce to the inclusion problem, where the 
inclusion problem given two automata Ai and A 2 asks whether for every word w we have C^(w) < C^ 2 (w). 
Therefore, for decidability of the inclusion problem both the emptiness and the universality problem must be 
decidable. Hence, in the non-deterministic case, for value functions studied in Table [2] the inclusion problem can 
be decidable only in two cases: 

1. for (/; < 7 )-automata, where g is regular value function, and / € InfVal \ {LimAvg}; 
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Inf 

LimInf 

Sup 

LimSup 

LimAvg 

Min, Max 
Sum b 

Empt. 

Univ. 

PSp.-c ® 

Sum 

Empt. 

PSp.-c <03 

Undec. (Q3 

Open d22l> 

Univ. 

Undec. (1151) 

PSp.-c <U3 

SUM + 

Empt. 

Univ. 

PSp.-c O 

ExpSp. <Q3 


Table 1: Decidability and complexity of the emptiness and universality problems for functional (/; g) -automata. 
Functions / are listed in the first row and functions g are in the first column. The undecidability results hold even 
for deterministic automata. Next to each result there is a reference to the corresponding theorem or conjecture. 
PSp. (resp. ExpSp.) denotes PSpace (resp. ExpSpace). 



Inf 

LimInf 

Sup 

LimSup 

LimAvg 

Min, Max 
Sum 5 

Empt. 

PSp.-c C[3]i 

Univ. 

ExpSp. 

Undec. (|3 

Sum 

Empt. 

PSp.-c <03 

Undec. (Q3 

Open (122b 

Univ. 

Undec. (115b 

Undec. (|3 

Undec. (|6Ji 

SUM + 

Empt. 

PSp.-c <Q3 

ExpSp. <03 

Univ. 

ExpSp. (I16t 

Undec. (|3 


Table 2: Decidability and complexity of the emptiness and universality problems for non-deterministic (/: g)- 
automata. PSp. (resp. ExpSp.) denotes PSpace (resp. ExpSpace). The alignment is as in TableQ] 



Inf 

LimInf 

Sup 

LimSup 

LimAvg 

Min, Max 
Sum b 

Empt. 

PTime 

Univ. 

PSpace-c 

Sum 

Empt. 

PTime 

Undec. 

Open (l22l) 

Univ. 

Undec. 

PSpace-c 

Sum + 

Empt. 

PTime 

Univ. 

PSpace-c 


Table 3: Decidability and complexity of the emptiness and universality problems for functional (/; <y)-automata 
whose slave automata have size bounded by a constant. The alignment is as in TableQ] 



Inf 

LimInf 

Sup 

LimSup 

LimAvg 

Min, Max 
Sum 5 

Empt. 

PTime 

Univ. 

PSpace-c 

Undec. 

Sum 

Empt. 

PTime 

Undec. 

Open (122b 

Univ. 

Undec. 

Undec. 

Undec. 

Sum + 

Empt. 

PTime 

Univ. 

PSpace-c 

Undec. 


Table 4: Decidability and complexity of the emptiness and universality problems for non-deterministic ( f;g)- 
automata whose slave automata have size bounded by a constant. The alignment is as in TableQ] 
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2. for (/; SUM + )-automata, where f £ InfVal \ {LimAvg}. 

In fact, in case 0, the inclusion problem is undecidable as well. Indeed, inclusion of SUM + -automata 
over finite words reduces to the inclusion of (/; SUM + )-automata, where / £ {Inf, LimInf, Sup, LimSup}. 
It has been shown in III that the inclusion problem for SUM + -automata is undecidable. Therefore, the in¬ 
clusion problem in case Q is undecidable. As automata in case 0 are equivalent to sil(/)-automata for 
/ £ {Inf, LimInf, Sup, LimSup} (Lemma Hot, which are essentially equivalent to /-automata, the inclusion 
problem is decidable IflZl . 

Remark 23 (Parametric complexity). The complexity results summarized in 'Tables [7] and [2] are given w.r.t. the 
size of a nested automaton, i.e., the sum of the size of the master automaton and the total size of slave automata. 
However, if the total size of slave automata is bounded by a constant, then we show that the complexity of all 
emptiness problems decreases from PSPACE (resp. ExpSpaCE) to PTlME, and all the universality problems 
become PSPACE -complete (Re marks \ I I\ and \3% . In other words, we show that the complexity of emptiness and 
universality in the size of the master automaton (with the total size of slave automata considered as constant) 
matches that of Boolean non-nested automata. (For every f £ InfVal the universality problem for functional 
f-automata is PSPACE -complete sm>- Interestingly, bounding the total size of slave automata does not change 
decidability status; all undecidability results still hold. The parametric complexity results are summarized in 
Table\3\and Table\4\ 


5 Applications 

In this section we discuss several applications of nested weighted automata. 

5.1 Quantitative system properties 

We have shown (Example 0 that basic properties such as average response time can be expressed conveniently 
as a nested weighted automaton. We also argue that our framework is a natural extension of the framework of 
monitor automata for Boolean verification, and is a step towards quantitative run-time verification. 

Quantitative monitor automata. In verification of Boolean properties, the formalism with monitor automata is a 
very convenient way to express system properties ff26l . The specification for a system can be decomposed into 
subproperties, each monitor automaton tracks a subproperty, and the logical value of the specification is inferred 
from the results of the monitor automata. To be more specific, given an LTL specification, the logical value of 
every subformula is tracked by a monitor automaton. A monitor automaton is a transducer that at each position 
of the word outputs whether the current suffix satisfies the given subformula. The monitor automata for complex 
formulae are constructed from monitor automata for their immediate subformulae. Finally, the answer whether a 
given word satisfies the specification is encoded as the first output of the monitor that corresponds to the whole 
LTL formula. Our nested weighted automata framework can be seen as a natural extension of the formalism 
provided by monitor automata. Below we argue how nested weighted automata provide a convenient framework 
for specification, with added expressiveness, and is a first step towards quantitative run-time verification. 

• Ease of specification. A specification formalism is a convenient framework if complex specifications can 
be easily decomposed. For Boolean properties, monitor automata were introduced for this purpose: in other 
words, for Boolean properties, though monitor are not more expressive than the standard automata, yet they 
are widely used as they provide a framework where specifications can be conveniently described. In our 
setting, in the spirit of monitor automata, each slave automaton can specify a subproperty of the system, 
and the master automaton combines the result obtained from all the slave automata. This (as in the case 
of monitor automata) allows decomposing quantitative properties into subproperties and thus eases the task 
of specification. For example as shown in Example [5] to compute average response time, for each request 
the master automaton invokes a slave automaton that computes the response time (a subproperty for every 
request) and then the master automaton with limit-average value function combines the subproperties to 
obtain the average response time. 

Example 24 (Average resource consumption). Consider a system with at most n concurrently running 
processes, in which processes can be started and terminated. The system has available resources 7'i,..., r*,. 
The quantitative property of average resource consumption, which asks what is the average number of 
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different resources allocated by processes, can be expressed in a convenient way by a (deterministic) nested 
weighted automaton A defined as follows. The master automaton of A starts a separate slave automaton 
*8 when a new process is started. The slave automaton '23 runs until the process terminates and counts 
how many different resources r\,..., the given process allocates. The counting can be implemented by 
a Ma X-automaton with weights {0,1,..., k}. Then, the master automaton computes the limit average of 
resource consumption computed by slave automata. Since every (LlMAVG; Ma x)-automaton is equivalent 
to some sil(LlMAVG )-automaton (Lemma\l0i. average resource consumption can also be expressed by a 
weighted automaton. However, construction of such a weighted automaton is cumbersome and it essentially 
follows the proof of Lemma Udl 

We use Example l24l to show that (deterministic) nested weighted automata can be exponentially more suc¬ 
cinct than (non-deterministic) weighted automata. Let ARC(n) denote the average resource consumption 
property for n-processes. 

Theorem 25. There is a deterministic (LimAvG;Ma x)-automaton of the size 0(n) expressing ARC(n), 
while every non-deterministic sil(LlM AVG)-automaton expressing ARC (n) has states. 

Proof. Recall the the automaton A from Example l24l that expresses average resource consumption. Its size 
is linearly bounded in the number of processes n. It remains to show that every sil(LlMAvG)-automaton 
expressing ARC(n), average resource consumption for n processes, has 2 n< - ra - ) states. To show that, we need 
to give a more precise description of the system in consideration and its modeling. 

We assume for simplicity that there is only a single resource. Each process i £ {1,..., n} is associated with 
the following actions: start (si), allocation of the resource (af), and termination (ti). Formally, average 
resource consumption in w is defined as the limit average over all positions p at which a process starts 
w[p] = Si (for some i) of the indicator (0/1) whether a,; occurs in w between position p and the first 
occurrence of ti past p. 

We show that unless a sil(LlMAVG)-automaton has at least 2 05ra states, it cannot compute average resource 
consumption. Assume towards contradiction that a sil(LlMAVG)-automaton A has less than 2 05ra states 
and computes average resource consumption. For every A C {ai,..., a„}, we define a word a a £ A* 
as a periodic listing of all letters from A |.A| times, i.e., (bi... b s ) I- 4 !, where {&i,..., 6 ^} = A. Consider 
execution traces wa = (suAt) u , where s = Si... s n , t = ti... t n . Given a word wa, let 7ta be a run of A 
on wa of the minimal value. Due to periodicity of w u , such a run exists. We show the following claim: 

(*) There exist cycles ca,cb in the automaton A such that (1) c a ■ cn are labeled with words over different 
alphabets A, B, with |A| = \B\ = 0.5n, (2) ca, cb share a state q that occurs in both runs tta, ttb with 
positive density, and (3) each of ca, Cb is either silent or its average weight is 0.5n. 

We shall prove (*) later; first we show that (*) implies that A does not express average resource consumption. 
Indeed, consider a pair ca, cb from (*) and «, from B \ A. We insert into the run tta the cycle cb at all 
positions where q occurs. Let tt' a be the resulting run, and let w' A be the word that corresponds to tt’ a . The 
resulting run tt' a has the same value as tt A , but average resource consumption in w' A is higher. Indeed, 
in all blocks sut, for some u, in which u is different from u A , the number of different letters in u is at least 
| A\ + 1. In the remaining blocks, the number of different letters is A . Since blocks sut with u f ua occur 
with positive density, average resource consumption in w A is strictly higher than -. But, the value of w A 
does not exceed -j as tt' A is an accepting run on w' A of the value ^. It follows that A does not express the 
average resource consumption property. 

Now, we prove (*). Consider a word wa and an occurrence of ua at position p in wa- Since |ua| > 
|A| + 2 ■ |A|, there is a state q that occurs twice in the run tta between positions p and p + \ua\ (the part 
corresponding to the considered occurrence of ua) and the distance between occurrences of q between | A 
and |it^| — \ A\. These occurrences of q indicate a cycle, ca, p , in A, which is labeled with all letters from A. 
Indeed, among any | A\ consecutive letters in ua each letter from A occurs. Now, we select c A from cycles 
ca,z, where i varies, that occurs with positive density in tta- Let qA be the state that occurs in c A - 

As there are more than 2°' 5n subsets of {ai,..., a n } of cardinality 0.5n, there is a state that occurs in two 
cycles ca , cb with A A B. It remains to show that ca, cb are either silent or their average weight is i. If the 
average weight of ca is greater than -j, we can decrease the value of tta by removing all occurrences of c A - 
Recall that the length of ca is at most ua \ — \A\, therefore if we remove all parts of wa that correspond to 
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ca , each process in the resulting word has resource consumption 0.5?i, hence average resource consumption 
is still -t . But, the value of the corresponding run is lower than |, a contradiction. Conversely, if the value is 
lower than i, we can pump that cycle to obtain a run of the value smaller than ^ on a word whose resource 
consumption for each process is 0.5n. Thus, ca is either silent or its average weight value is □ 

• Expressiveness. More importantly, as mentioned above, for Boolean properties, monitor automata only 
add convenience but not expressiveness, whereas we show that for quantitative properties, nested weighted 
automata are strictly more expressive than non-nested weighted automata. Moreover, we show that the 
added expressiveness of nested weighted automata comes with the ability to express natural quantitative 
properties (like average response time) that could not be expressed as non-nested weighted automata. 

• Quantitative run-time verification. Finally, monitor automata are specially useful for safety properties, 
and widely used in run-time verification If20l . Our nested weighted automata can be seen as the first step 
towards quantitative run-time verification. Each slave automaton acts as a monitor and returns values of 
subproperties of the system. If the value function of the master automaton is commutative (as in all our 
examples), the master automaton can compute an on-the-fly approximation of the value function for finite 
words. 


5.2 Model measuring 

The model-measuring problem II2T1 asks, given a model and a specification, what is the maximal distance p such 
that all models within distance p from the model satisfy the specification. Formally, a model M and a specification 
S are Boolean automata. Given M, a similarity measure (of M) is a function dM from infinite words to positive 
real numbers such that for all traces w in Cm we have dM^iv) = 0. Similarity measures extend to models in 
a natural way; i.e., dM(M') = sup {(1m(w) : w is a trace of M'}. The stability radius of S in M w.r.t. the 
similarity measure dM- denoted by sr d M (M, S ), is defined as sr d M (M, S ) = sup{p > 0 : MM' (dM{M') < p => 
Cm Q Cs)}- We are interested in similarity measures dM defined by nested weighted automata (resp. weighted 
automata as in ED). Note that dM is independent of the specification. The model-measuring decision problem 
of whether sr,/ M (M, S) < X reduces to the emptiness decision question l2fl . We now show how nested weighted 
automata can define interesting similarity measures dM- 

Example 26 (Bounded delays). Consider the model M for two processes communicating through a channel, 
where every sent packet is delivered in the next state. Let $ denote the event of neither sending or receiving 
packets, Si and r\ (resp. s -2 and r 2 ) the send and receive for process 1 (resp. process 2). The language of M can 
be described as a regular expression as follows: (($)* • (siTi)* • ($)* • 

Note that dM must assign value 0 to every trace in the language of M. Also dM needs to assign values to 
traces where the delivery of packets can be delayed by a finite amount. Hence we first need to relax the language 
of M as Mr such that every packet sent is received with a finite delay; and dM assigns values to traces in the 
language of Mr. The relaxed language Mr is obtained as follows: consider the following languages L\ and L 2 

L x = ($* • (si$*n)* • $*)“; andL 2 = ($* • (s 2 $*r 2 )* • $*)"; 

where L\ denotes that every sent for process 1 can be delayed by a finite amount and analogously L 2 for process 2. 
The language of Mr is the shuffle (arbitrary interleavings) of L\ and L 2 . 

The similarity measure dM is defined as a (SUP; SUM + )-automaton Ajj that computes the maximum delay 
in the following way. When a packet is sent, the master automaton starts a slave SUM + -automaton that counts 
the number of transition until the packet is delivered. If no packet is sent, the master automaton takes a silent 
transition. The product automaton Mr and Ar> defines the desired similarity measure. 


5.3 Model repair 

The model-repair problem, given a model and a specification, asks for the minimal restriction of the model such 
that the specification is satisfied. Given a model M, a repair measure (Im is a function from infinite words to real 
numbers such that dM{w) < 00 iff w £ Cm- Intuitively, the measure evaluates the hardness of traces of M, which 
can be used to evaluate severity of the violation of the specification. We are interested in dM specified by nested 
weighted automata (resp. weighted automata). Given a model M, a repair measure dM, and a real number r, we 
define the language d^f as {w : dM{w) < r}. The model-repair decision problem, given a model M, a repair 
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measure cLm , and a specification S, asks whether sup{r : dfif C £ 5 } < A. The model-repair decision problem 
also reduces to the emptiness question. 

Example 27 (Context-switches). Consider a system consisting of a scheduler and two programs. The scheduler 
starts processes infinitely often and does preemptive scheduling. To obtain a finite-state model, we consider that 
only a single instance of each program may run at a given time. Consider the repair measure d.M that represents 
the negative of the minimal slot length, i.e., for all w we have dM{w) = —k iff each process in the execution w 
runs for at least k steps. The repair measure can be defined by a functional (SUP; SUM ) -automaton Ar as follows. 
After each context-switch, the master automaton starts an automaton that computes the running time until the next 
context-switch and multiplies it by —1 (i.e., add —1 at each step). At steps at which there is no context switch, 
the master automaton takes a silent transition. It follows that the supremum of all those values is the length of 
the shortest running time of a process multiplied by —1. Although, the emptiness problem is undecidable for 
(SUP; SUM )-automata, the automaton Ar has only non-positive weights. The emptiness problem for (SUP; Sum)- 
automata with non-positive weights reduces to the universality problem for (INF; S\JM + )-automata, which is 
decidable. 

Remark 28 (Decidability of examples). Note that for all examples presented in the paper, they belong to the class 
of nested weighted automata for which we establish decidability of the emptiness problem. 

Remark 29 (Robustness of nested weighted automata). The model of nested weighted automata is robust with 
respect to several changes, e.g., (i) instead of labeling function on transitions we can have labeling function on 
states; or (ii) instead of invoking one slave automaton in every transition a constant number of slave automata 
can be invoked. These changes do not change the expressive power, nor the decidability and the complexity results 
for nested weighted automata. 


6 Emptiness of (LimAvg; Sum + )- automata is in ExpSpace 

In this section we prove that the emptiness problem for (LimAvg; SUM + )-automata is in ExpSpace ((1) from 
Theorem fT9l>. as the proof itself is interesting and requires new and non-standard techniques. We first present an 
overview of the proof. 

Overview of the proof. The key argument will be to simulate a given (LimAvg; SUM + )-automaton A by a 
sil(LlMAvG)-automaton, however, the main conceptual difficulty is that (LimAvg; SUM + )-automata are strictly 
more expressive than sil(LlMAVG)-automata. We circumvent this problem (which is non-standard for weighted 
automata) in the following way: 

1. Step 1. We establish a property € on runs of a (LimAvg; SUM + )-automaton A such that (a) the infimum 
over values of runs satisfying C is the same as the infimum over values of all runs, and (b) there is a 
sil(LlMAvG)-automaton that simulates A on runs satisfying C. 

2. Step 2. We give the construction of a sil(LlMAVG)-automaton A specified in the condition (b) from Step 1. 

Although, A simulates A, weighted automata and nested weighted automata accumulate weights in a differ¬ 
ent way; a run of A that satisfies € and the corresponding run of A can have different values. 

3. Step 3. We show that the infima over values of all runs of A and A are equal. 

Proof of Step 1. We first introduce the notion of bounded multiplicity. 

Configuration and multiplicities. In nested weighted automata, starting a slave automaton can be seen as a uni¬ 
versal transition in the sense of alternating automata. We adapt the power-set construction, which is used to 
convert alternating automata to non-deterministic automata, to the nested weighted automata case. Given a nested 
weighted automaton A, we define configurations and multiplicities of A as follows. Let Q s i v be the disjoint union 
of the sets of states of all slave automata of A. For a run of A, we say that (q m , A) is the configuration at position 
p if q m is the state of the master automaton at position p and A C Q slv is the set of states of slave automata at 
position p. We denote by conf (A) the number of configurations of A. We define the multiplicity mult at position p 
as the function mult : <5 S ] V 1 —>■ N, such that mult(< 7 ) specifies the number of slave automata in the state q at position 
p. The configuration together with the multiplicity give a complete description of the state of A at position p. 
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Optimal runs. The general idea to solve the emptiness problem for (LimAvg; Sum + (- automata is to simulate 
a given (LimAvg; SUM + )-automaton by a sil(LlMAVG)-automaton that keeps track of configurations and mul¬ 
tiplicities. Unfortunately, unbounded multiplicities cannot be encoded in a finite set of states of a sN(LimAvg)- 
automaton. But, the emptiness problem can be solved by inspecting only selected runs. More precisely, given a 
(LimAvg; SUM + )-automaton A, we say that runs satisfying a condition £ are optimal for A iff the infima over 
values of all runs of A and runs that satisfy £ are equal. We identify a condition such that the runs satisfying it are 
optimal and can be simulated by a sil(LlMAvG)-automaton. First, we observe that without loss of generality we 
can assume that nested weighted automata are deterministic. Basically, non-deterministic choices can be encoded 
in the input alphabet. 

Lemma 30. Given a (LimAvg; S\JM + )-automaton A over £, one can compute in polynomial space a determinis¬ 
tic (LimAvg; S\JM + )-automaton A' over an alphabet £ x T such that inf„, g v;+ Ca(w) = infu,'£(£xr)+ 

Moreover, conf(A) = conf(A'). 

Proof. The proof consists of two steps. We show that (i) for every run (II, 7Ti, 7t2,...) of A there exists a simple 
run of A of the value not exceeding the value of (II, tt± , 7T2,...). Next, we show that (ii) there exists a deterministic 
(LimAvg; SUM + )-automaton A' over an extended alphabet such that the sets of accepting simple runs of A and 
accepting runs of A' coincide and each run has the same value in both automata. Then (i) and (ii) imply the lemma 
statement. 

(i) : A run of a nested weighted automaton is simple if at every position in the run slave automata that are in the 

same state take the same transition. Now, consider a run (II, 7Ti, 7t2,...) of A. Suppose that tt,, nj that are in the 
same state at the position s in the word, i.e., = ttj\j'}, where i',j' are the position in 7 r,, ttj corresponding to 

the position s in w. 

We choose from the suffixes 7 t* [*', |7T;|], 7 tj \j', |7r, |] the one with the smaller value and change the suffixes of 
both runs to the chosen one. If these suffixes have the same value, we chose the shorter one. Such a transformation 
does not increase the value of the partial sums and does not introduce infinite runs of slave automata. Indeed, a 
run of each slave automaton can be changed by such an operation only finitely many times. Thus, this transfor¬ 
mation can be applied to any pair of slave runs to obtain a simple run of the value not exceeding the value of 
(II, 7Tl, 7T 2 , . . . ). 

(ii) : Without loss of generality, we can assume that for every slave automaton in A final states have no outgoing 
transitions. Let Q a n be the disjoint union of the sets of states of the master automaton and all slave automata of A. 
We define T as the set of all partial functions h : Q d u 1 —>■ Q d u. We define a (LimAvg; Sum + ) -automaton A' over 
the alphabet Ex F by modifying only the transition relations and labeling functions of the master automaton and 
slave automata of A; the sets of states and accepting states are the same as in the original automata. The transition 
relation and the labeling function of the master automaton A' mas of A' is defined as follows: for all states q. q', 
( q , (a, h), q') iff h(q) = q ' and A mas has the transition (■ q , a, q'). The label of the transition (■ q , (a, h), q’) is the 
same as the label of the transition (q, a, q') in A mas - Similarly, for each slave automaton 23, in A, the transition 
relation of the corresponding slave automaton 23' in A' is defined as follows: for all states q , q' of 23', (q, (a, h) , q ') 
iff h(q) = q' and 23; has the transition (q, a, q'). The label of the transition (< 7 , (a, h), q') is the same as the label 
of the transition (< 7 , a , q') in 23,;. 

First, we see that conf(A) = conf(A'). Second, observe that the master automaton A' mas and all slave 
automata 23' are deterministic. Moreover, since we assumed that for every slave automaton in A final states 
have no outgoing transitions, slave automata 23' recognize prefix free languages. Finally, it follows from the 
construction that (i) for every simple run (II, 7Ti, 712 ,...) of A is also a run of A of the same value. One needs 
to encode non-deterministic transitions in functions h £ F. The value of each transition is the same by the 
construction. Conversely, (ii) a run (II, 7Ti, 712 ,,..) of A' is a simple run of A of the same value. Indeed, the fact 
that transitions are directed by functions h £ T implies that the run is simple. □ 

We attempt to simulate (LimAvg; SUM + )-automaton A by a sil(LlMAvG)-automaton. For that, we need 
to show that runs with bounded multiplicities or bounded values returned by slave automata are optimal for A; 
otherwise the state space of the simulating automaton would have to be unbounded. However, such a direct 
statement does not hold as we see in the following example. 

Example 31. Consider a (LimAvg; Sum + )-automaton A over {a, b} such that on letter a (resp. b) the master 
automaton starts a slave automaton 23 a (resp. 23b). The automaton 23 a accepts words a*b, and for a word a k b 
assigns value k mod 2. The automaton 23 b accepts words ba*b, and for a word ba k b assigns value k+2. Observe 
that the infimum over all runs of A is |. 
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At the end of a block ofk letters a, the number of slave automata running concurrently is k + l, one automaton 
21/, and k automata Q3 a , and the value returned by 25/, is k + 2. It follows that if the multiplicity of a run is 
bounded by k+l or the maximal returned values are bounded by k + 2, lengths of all block ofa’s are bounded by 
k. However, if the length of block’s of letter a are bounded by k, the value of such a run is at least Thus, 

runs of bounded multiplicity or bounded returned value are not optimal for A. 

Example [311 shows that we cannot bound the number of slave automata running concurrently or the values 
returned by slave automata. However, we can combine these two conditions, i.e., we show that while computing 
the infimum over values of runs of an (LimAvG; SUM + )-automaton, there is a constant N such that we can discard 
runs in which more than N slave automata accumulate value above N. Then, slave automata that return bounded 
values are essentially bounded sum automata, and can be eliminated, and only bounded number of slave automata 
returning unbounded values remain. E.g. the automaton A from Examnle[3Tlis equivalent to a (LimAvG; Sum + )- 
automaton A# that, instead of starting a slave automaton 23 Q , guesses the parity of the following block of letters 
a and, based on that guess, starts 21 a o or 23 a i, which terminates after a single transition and returns 0 (23 a o) or 1 
(S a i). The master automaton verifies the correctness of the guessed parity. 

Synchronized silent transitions. The bounded multiplicity property enables simulation of A by sN(LimAvg)- 
automaton, but it does not guarantee that the corresponding runs have the same value. We impose the following 
condition on optimal runs of A. We say that a run of A has synchronized silent transitions if at every position 
where the master automaton takes a silent transition, each slave automaton takes a transition of weight 0. On 
runs of A with synchronized silent transitions, the sil(LlMAvG)-automaton can take a silent transition whenever 
the master automaton of A takes a silent transition as no weighted transition is lost. To achieve synchronization 
of silent transitions, we modify slave automata so that during silent transitions of the master automaton, slave 
automata accumulate their values in their states, while taking transitions of weight 0, and flush the accumulated 
value A by taking transition of weight A once the master automaton takes a non-silent transition. We prove that 
runs with sequences of silent transitions bounded by conf (A) are optimal for A, therefore slave automata have to 
accumulate only bounded weights. 

We combine the ideas for bounding the multiplicity and synchronization of silent transitions in the following 
lemma. 

Lemma 32. Let Abe a deterministic (LimAvG; Sum + )-automaton. There is a constant c quadratically bounded 
in conf (A) and a deterministic (LimAvG; SUM + )-automaton Ao equivalent to A such that runs that have (1) mul¬ 
tiplicities bounded by c, and (2) synchronized silent transitions, are optimal for Aq. The size of Ao is exponentially 
bounded in |A|. 

Before we prove Lemmal32l we show its vital components: 

Lemma 33. Let A be a deterministic (LimAvG; Sum automaton that has an accepting run. Runs such that 
among every consecutive conf (A) steps, the master automaton of A takes a non-silent transition are optimal for 
A. 


Proof. Consider a run of A on a word w and positions i,j such that i + 2 ■ conf (A) < j and A takes only silent 
transitions between i and j. 

Observe that there are positions i < i',j' < j with the same configuration (defined in Section [6]). Consider 
a word w' resulting from removing w[i',j'] from w. The partial sum of the weights of the master automaton up 
to the position j — ( j' — i') on w' does not exceed the partial sum up to the position j on w. These partial sums 
are divided, in the average, by the same number of steps. Thus, the value of the word will not increase even if 
we can carry out this operation infinitely often. One should be careful not to remove all positions with accepting 
states. However, it is not a serious problem as we can insert sparsely subwords with an accepting state (after 
1,2,..., 2 k ,... time increase steps). Such an operation will not increase the limit average of the run. □ 

Lemma 34. Let A be a deterministic (LimAvG; Sum + )-automaton that recognizes a non-empty language. Let 
N = (|Q S | + 2) • conf (A). The runs that eventually (for every position s greater than some position So) satisfy 
the following condition (*) are are optimal for A: (*) among slave automata active at position s, at most 2 ■ N 
will accumulate value greater than 4 • N. 

Proof. For a multiplicity mult we define its restriction to N, mult In, as mult |n {q) = min(mult(q), N), for 
every q £ dom(mult). 
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Consider any word uw such that at the position u there are 2 • N slave automata that will accumulate in w 
(past the position |u| in uw) value greater than 4-N. We show a transformation of uw to uw', such that uw' has the 
same value and at the position |w| no slave automaton will accumulate in w' value greater than 4 • N. Let jo > |u| 
be a position in uw with an accepting state and let ji,... ,j n be the positions at which each of slave automata 
started before the position |u| finishes. Notethatn < |Q S |. As slave automata work on finite words such ji j n 
exist. Finally, let j be the first position greater than max(jo,ji, ■ ■ ■ ,j n ) with the configuration C uw n j_i u n = C u 
and multiplicity mult MUJ h _i u n |'n= rnult„ Cn- There are only finitely many positions |it| for which such j does 
not exist. Next, as there is no bound on j, we remove from w [ 1, j — |u |] all cycles that do not overlap with 
any position from {jo,..., jn,}. The resulting word v has the length bounded by (|Q S | + 2) ■ conf(A) = N as 
n < |Q S |. It follows that for every q £ A we have mult ul; (g) < N and mult UJJ (qj < mult„(g) [n- Indeed, 
since cycle removal does not increase the multiplicity, for every q £ A we have multn«(?) < multwiji (q) and 
mult MU ,[i j] |‘isr= multn |"n- We show that the partial sum of weights of the master automaton at the position |uu| 
in uvw is smaller than the partial sum at the position |u| is uw, which implies that the transformation uw —> uvw, 
removes a position violating our assumption, and even applied infinitely many times, does not increase the value 
of the resulting words. 

Let val be a function with dom(val) = dom(mult u ) such that val(g) is the value accumulated in w (past 
the position |tt| i uw) by any slave automaton that is in the state q at the position |u|. Equivalently, that is the 
value accumulated by the same automaton past the position \uv\ in uvw. We call a slave automaton active if 
val(g) > 4 • N, where q is the state of that automaton at the position | u| (resp. |m;|). The value of the partial sum 
up to the position |u| in uw is the value of all slave automata started before | u|. It consists of (1) + (2), where 

• (1) is the value all inactive slave automata plus the value of active slave automata accumulated up to the 
position |u|, and 

• (2) is the value accumulated in w by all active automata past the position |u|. 

Observe that (2) = vaI(<7) ■ mult„(g), where A is the set of states of active slave automata at the position 

|u|. The value of the partial sum up to the position |m;| in uvw consists of (1)' + (2)' + (3), where 

• (1)' is the value of all inactive slave automata plus the value of active slave automata accumulated up to the 
position [u\, 

• (2)' is the value accumulated by active automata in w past position |itu|, and 

• (3) is the value accumulated by all active slave automata on the word v, i.e., between the positions u and 

|m>| in uvw. 

Note that (1)' is bounded by (1), (3) is bounded by 2 • N ■ |u| < 2 • N 2 , and (2)' = K<?) ' ((?)■ 

We claim that (2) — (2)' > (3), which means that the partial sum at the position \uv\ in uvw is smaller than the 
partial sum at the position |u| in uw. Indeed, rnult„(g) ~ mult„„(g') > 2 • N — N = N and for each q £ A, 

val(qj > 4 • N, therefore (2) — (2)' is at least 4 • N 2 , which is greater than (3). 

It follows that aforementioned transformation, even applied infinitely many times, will not increase the value 
of the resulting word. Therefore, for every run of A of value A, there is so and an a run of the value not exceeding 
A such that at each position s > sq at most 2 • N will accumulate value greater than 4 • N. □ 

Proof of Lemma\32\ We transform the automaton A to an equivalent deterministic (LimAvG; SUM + )-automaton 
Ao for which runs that at each position (1) at most c slave automata run, and (2) if the master automaton takes 
a silent transition, each slave automaton takes a silent transition, are optimal. Due to Lemma [34] runs for which 
eventually at most 2 • N slave automata accumulate value greater than 4 • N are optimal for A. Moreover, by 
Lemma[33lruns in which at least one in every conf (A) transitions is non-silent are optimal for A. 

We define an automaton Ao by modifying A in two ways. First, we extend the input alphabet to include the 
marking of the position sq past which at most 2 • N slave automata accumulate value greater than 4 • N are optimal 
for Ao. Prior to that marking, a modified automaton starts only dummy slave automata that immediately terminate. 
Past that marking Ao simulates A. Second, we modify each slave automaton of A in such a way that is runs as 
long as it can accumulate the value exceeding 4 • N. More precisely, the master automaton starts only automata 
that return values exceeding 4 • N. For other slave automata it “guesses” their value from the set {0,..., 4 • N} 
and runs a dummy automaton that takes only a single transition of this weight. As it is deterministic, we assume 
that the “guess” is encoded in the input word. Started slave automata run as long as they can accumulate the value 
exceeding 4 ■ N. Once a slave automaton guesses that this is not possible, it takes a transition of the weight 4 • N 
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and terminates. Again, that “guess” is encoded in the input word, therefore the master automaton is able to verify 
that this “guess” is correct. 

The automaton Ao simulates the runs of A past the position so and each running slave automaton accumulates 
the value exceeding 4 • N. Therefore, there is a run of Ao on a word corresponding to w op t such that at most 
2 • N + 1 slave automata run concurrently. The automaton Ao is equivalent to A, as the return values of slave 
automata past the position so are the same and the LimAvg value function does not depend on finite prefixes. 
Therefore, runs satisfying conditions ( 1 ) and ( 2 ) are optimal for Ao- □ 

The size of the automaton Ao from Lemmal 32 lis polynomial in the size of the master automaton of A. 

Proof of Step 2. We now prove Step 2 which basically involves the classic power-set construction. 

Construction of A. We adapt the classic power-set construction to construct a sil(LlMAvG)-automaton A that 
simulates runs of a given (LimAvg; SUM + )-automaton A with bounded multiplicities and synchronized silent 
transitions. Let A be a deterministic (LimAvg; SUM + )-automaton. Without loss of generality (Lemma l 32 l). we 
assume that runs with ( 1 ) multiplicities bounded by c and ( 2 ) synchronized silent transitions are optimal for A. 
The automaton A, which simulates runs satisfying ( 1 ) and ( 2 ), keeps track of the current configuration and the 
multiplicity of A. That is, the set of states of A is Q m x c^' lv , where Q m , Qsiv are respectively the set of states 
of the master automaton and the union of the sets of states of all slave automata of A. The component c Qslv 
encodes a part of configuration and multiplicity. For all states (gi, h \). (q>, h 2) of A and every letter a, A has 
a transition ((qi,hi),a, (<72,^2)) iff the master automaton has a transition (<71,0,(72) with the label i and the 
multiplicities /12 follow from hi according to transitions of the slave automata and invocation of Tv,. The weights 
of transitions of A are defined as follows. If the transition (q \, a, qf) of the master automaton of A is silent, the 
transition ((<71, hi), a, (q2, /12)) is silent. Otherwise, the weight of ((qi, hi), a, (q2, hf)) equals the sum of weights 
of the corresponding transitions of simulated slave automata multiplied by their multiplicities hi. Recall that the 
simulated runs have silent transitions synchronized, therefore, the values accumulated by each slave automaton 
and the corresponding simulated automaton are equal. 

Given a run of A one can construct a run of A with multiplicities bounded by c, and vice versa. Hence, for a 
run of A (resp. A) we refer to the corresponding run of A (resp. A). We can solve the emptiness problem for A 
as sil(LlMAvG)-automata behave similarly to LlMAvG-automata: 

Lemma 35. (1) The emptiness problem for s\\(LimAw G)-automata is in NLOGSPACE. (2) For every sil(LlMAVG)- 
automaton A that recognizes a non-empty language, there is a run i) of A such that (a) the value ofrj is minimal 
among values of all runs of A (b) at least one in every |„4| transitions is non-silent, and (c) partial sums converge, 
i.e., 

, k . k 

lim sup - • 53(C(t7))[i] = lim inf - • ^(C(??))[i] 

k—>00 ft , fe—>-oo tv 

2=1 2=1 

Proof. Let A = (E, Q, go, <5, F, C) be a sil(LlMAvG)-automaton. We show that if there is a run of A of the value 
not exceeding A there is a lasso run such that the average weight in its cycle does not exceed A, i.e. there is a run 
7 T = 7r[0]7r[1]... tr[n] of length n < |A| on a word w = to[l]... w[n] such that 7r[0] = qo, for some i < n we have 
7 r[i] = 7r[n] (such a run 7r is called a lasso), 7r[0],..., tr[n — 1] are distinct and -A^{C{Tt\t\,w\i + 1], tt\i + 1]) + 
... + C(Tt[n — 1], w\n\, 7r[n])) < A. The existence of such a lasso can be decided in NLogSpace, which shows 
(1). As there are only finite number of values of lassos, there is Ao which is the smallest. It follows that there is 
no run of A of the value smaller than Ao; otherwise there would be a lasso of the value not exceeding A'. Thus, 
the lasso of the value Ao has the minimal value among values of all runs, and the sequence of partial averages 
converge. 

First, we define a LlMAVG-automaton _ 4 f, x such that for every accepting run 77 of A, the run 77', resulting from 
77 by removing silent transitions, is an accepting run of Ar x , and vice versa, every accepting run of Ar x can be 
extended to a run of A by inserting silent transitions. The set of states of Afi x is the same as A and the transition 
relation of Ar x consists of [qi,a, <72) such that there is (q[, a, q' 2 ) G 5 and q[ (resp. <72) is reachable from <71 (resp. 
qf) by a path consisting of only silent transitions. The weight of such a transition is the infimum over the weights 
of transitions (q[,a, q' 2 ) G S that generate (qi,a, <72)- It follows from the construction that Aq x has the stipulated 
properties and their corresponding runs have the same value. Therefore, An x has a lasso Iq such that the average 
weight in its cycle does not exceed A. The lasso Iq can be extended to a lasso 1 1 in A, which can have states that 
occur multiple times. We can remove duplicate states in the following way, if the average weight between i and j 
with li[i] = li[j] is above A, we remove all the states between i + 1 and j. Otherwise, if the average weight does 
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not exceed A, we can remove all the states following n\j}. Hence, we have shown that if A has a run of the value 
A it has a lasso such that the average weight in its cycle does not exceed A. □ 


Proof of Step 3. We now prove Step 3, i.e., we show that the emptiness problems for A and A coincide. The main 
problem is that, even though a run of A and the corresponding run of A represent the same sequences of weights, 
they can have different values. Still, we show that infima over values of all runs of A and A are equal. 
Accumulation of weights. The automata A and A compute their values differently. In A a slave automaton started 
at a position k computes its value and returns it as a weight of the transition at position k, whereas in A, simulated 
slave automata run concurrently and add their weights to the partial sum at each step. To visualize this, consider a 
matrix such that the value at (i,j) is the weight of the transition of y-th slave automaton at position i in the input 
word. Then, the value of A is the limit average of the sums of rows, whereas the value of A is the limit average of 
the sums of columns. 
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Figure 2: The matrix depicting the difference in aggregation of weights by A and A. 


In consequence, a run of A and the corresponding run of A can have different values. 

Example 36. Consider the automaton A# that has been discussed above as a modification of an automaton from 
Exanwle \3 h and a word w = bab ... ba 2 _ 1 6 .... At position 2 k + 1, the partial sum X^ J :=i(C , ( 7 r j)) (iV equal to 
the sum of (1) the values of blocks bab ,..., ba 2 _1 6 and (2) the value o/23 b started at the beginning ofba 2 

equal 2 k — 1. The value of a block ba 2 ~ 1 b equals 2 l — 1 (accumulated by 23^) plus 2 l ~ 1 — 1 (accumulated by 
23 a i). Thus, the value (1) equals 2 k + 2 k ~ 1 — 2 ■ k, i.e., 2 k + 2 fc_1 — 0(k). Therefore, the partial average at 
position 2 k +1 is | — O(^). Thus, the value ofw assigned by A# is |. In contrast, the automaton A& simulating 
A# simply takes a transition of weight 0 on letter b, 1 on even occurrences of letter a and 2 on odd occurrences 
of letter a. The value ofw assigned by A# is |. 

Nevertheless, we show that the emptiness problems for A and A coincide. In the following lemma we will use 
a notion of reset words used to terminate long runs of slave automata. 

Reset words. Given a word w, a finite word u is a reset word for A at position i if in w[l, i]uw[i + 1, oo] we 
have (1) the configuration of A at positions i and i + \ a is the same (recall that A is deterministic), and (2) all 
slave automata active at position i terminate before position i + |u|. We say that the word w[ 1 , i\uw[i + 1 , oo] 
is the result of injecting a reset word at position i. Observe that (1) implies that A accepts w iff it accepts 
w\f, i]uw[i + 1 , oo]. As in an accepting run of A past some finite position all configurations occur infinitely often 
and all slave automata terminate after finite number of steps, therefore at almost all positions p, there exists a 
reset word that can be injected at p. Basically, that word occurs already at position p. In addition, by simple 
(un)pumping argument we can show that for almost all positions there exist reset words with length bounded by 
IQstvl • conf(A). 

Lemma 37. The emptiness problems for A and A coincide. 

Proof. Observe that for every run (n, 7 Ti, 7 r 2 ,...) of A with at most c concurrently running slave automata, and 
the corresponding simulation run p of A at every position k we have X^i=i(C( 7 7))W — Xw=i(^( 7r *))- Therefore, 
the infimum over runs of A does not exceed the infimum over runs of A. 

Conversely, due to Lemma [35] A has a run p of the minimal value and whose sequence of partial averages 
converges. First, we show that there is a run p' of the same value as p such that in the corresponding run of A, 
for every k greater than some constant, each slave automaton started before position k, terminates before position 
k + log(fc). Then, we show that p' and the run of A corresponding to p' have the same value. 


24 

















































































Consider a sequence {«,},>() where ao is the least position past which every configuration occurs infinitely 
often and Oj+i = cti + logcu. Observe that |{aj : a,i < fc}| = o(fc), i.e., lim*,-,. oo = o. Let 7/ be a 

run obtained from 77 by injecting reset words on positions a>i in 77 . The value of 7 / is the same as the value of 77 . 
Indeed, for almost all k we have 

k k 

EW))W<E( c w)H+°( fc ) 

i =1 i=1 

It follows from the fact that there are \{a,i : a, < /,:} = o(k) reset words up to position k and the total increase 
of the partial sum due to each of them is bounded by the product of (1),(2),(3), where (1) is the maximal length 
of a reset word, (2) is the number of currently running slave automata, and (3) is the maximal weight a slave 
automaton can take. Note that (1),(2),(3) are bounded by a constant, hence up to position k, the total increase of 
the partial sum due to injected reset words is o(k). Due to Lemma [35l there are at least jj- non-silent transitions 
up to position k. Hence the values of 7 / do not exceed the value of 77 , which is minimal. Hence, the values of //, 77 ' 
are equal. 

Now, we consider a run of (n, 7 Ti, 7 T 2 , ...) of A that corresponds to 77 '. Observe that each slave automaton 
started at position k, terminates after at most log k steps. Therefore, the partial sum of weights of (n, 7Ti, 7 T 2 ,...) 
up to k is bounded by the partial sum of weights in 77 ' up to k + log k, i.e., for almost all k we have 

k k k +log k 
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2= 1 2=1 2=1 

However, each (£7(?/))[i] is bounded by a constant. Therefore, Y!i=k+i (C(ri'))[i] = O(logfc). Again, as the 
number of non-silent transitions up to position k is fl(fc), we have lim / t _>, 00 °q(E = 0 . Since A and A take non- 
silent transitions at the same positions, the limit averages of (C'(? 7 / ))[l], (C'(? 7 , ))[ 2 ],... and £7(71-1), C { 1 : 2)1 • • ■ are 
equal. Thus, the value of the infimum over runs of A does not exceed the value of the infimum over runs of A. 
This implies that the emptiness problems for A and A coincide. □ 

Finally, we prove the main statement. 

Lemma 38. The emptiness problem for (LimAvG; SVM + )-automata is in ExpSpace. 

Proof. First, we transform a given (LimAvG; SUM + )-automaton A to a deterministic (LimAvg; Sum + )- 
automaton A d (Lemma l30l >. The transformation does not change the cardinality of the set of configurations, 
i.e., C(A) = C(A d ). Next, we transform A d to an equivalent automaton A' for which runs with (1) multiplicities 
bounded by c and (2) synchronized silent transitions are optimal (Lemma l32l>. Finally, we define a sil(LlMAVG)- 
automaton A that simulates A' on runs that satisfy (1) and (2). Since the emptiness problems for A' and A coincide 
(Lemma l37l i. we solve the former. 

Observe that the size of A is doubly exponential in the size of A. Indeed, let £)' K . be the disjoint union of 
the sets of states of the slave automata of A'. The size of Q[ h , is exponential in the size of A, therefore c-A'. | j s 
doubly-exponential. However, the emptiness problem for A is decidable in NLogSpace (Lemma [35l>. Hence, 
the emptiness problem for (LimAvg; SUM + )-automata is in ExpSpace. □ 

Remark 39. The transformations from Lemma \30\ and Lemma\32\are polynomial in the size of the master automa¬ 
ton of a given nested automaton A. Then, the number of configurations and, in consequence, c are polynomial 
in the size of the master automaton of A. Finally, the set of states of the s\\(LlMAVG)-automaton A constructed 
in Step 2 is Q m x c < ^ dv . Thus, it is polynomial in the size of the master automaton of A as well as its weights. 
Therefore, the emptiness problem of (LIMAVG; Sum + )-automata is in PTlME if the total size of slave automata 
is bounded by a constant. 


7 Related work 

In this section we discuss various related work. 

Weighted counterpart of Boolean nested automata. Weighted nested automata have been considered in J7j in the 
context of finite words, where the weights are given over semirings. It is further required that the semirings of 
all master and slave automata coincide, while in our case, the value functions may differ. Since the semirings of 
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master and slave automata must coincide for G), it can be interpreted as defining weighted counterpart of Boolean 
nested automata over finite words. Adding nesting structure to words and trees have been extensively studied 
for non-weighted automata in J2j[5[ and also applied to software model checking 0. The work of 0 defines 
a weighted counterpart of nesting of finite words, whereas we consider nesting of various weighted automata to 
express properties of infinite behaviors of systems. Properties such as long-run average response time cannot be 
expressed in the framework of 0. 

Weighted MSO Logics. Quantitative properties can be expressed in weighted logics, for example. Weighted MSO 
Logics OH and weighted temporal logic 0. For the basic decision problems for weighted logics over infinite 
words, the reduction is to weighted automata. For a given set of value functions that assigns values to infinite runs 
(such as FinVal and InfVal), weighted MSO logics are as expressive as weighted automata with the same class of 
value functions tm It follows that with FinVal and InfVal as the value functions, weighted MSO logic cannot 
express the average response property. One can express average response time in weighted MSO logics by adding 
average response time itself as a primitive value function in the w-valuation monoid. The decidability of weighted 
MSO logics with such a primitive can be established by a reduction to weighted automata that are able to express 
average response time, such as nested weighted automata. However, the reduction is non-elementary, as the basic 
decision problems for even non-weighted MSO logic have non-elementary complexity, whereas our complexity 
results range from PSPACE-complete to ExpSpace. 

Register automata. Another related model for specifying quantitative properties are register automata 0 . which 
are parametrized by cost functions. The main differences between 0 and nested weighted automata are as follows: 

(i) register automata are over finite words, whereas we consider infinite words, and (ii) we consider nested control 
of automata, whereas register automaton are non-nested. As a result, both in terms of expressiveness and decid¬ 
ability results nested weighted automata are very different from register automata. For example, the emptiness of 
register automata with max and sum value functions is decidable, while we show emptiness to be undecidable for 
deterministic nested weighted automata with these value functions. 

Other related models. Other possible quantitative models are visibly pushdown automata (VPA) with limit-average 
functions, or quantitative models consider in 124ft . The framework of li24l neither captures the average response 
time property nor presents any decidability results. For VPA with limit-average functions it follows from lfl4l that 
even perfect-information VPA games (that correspond to simulation) with limit-average objectives are undecidable 
(the undecidability proof of fT4l is for general pushdown games, but the proof itself also works for VPA games). 
Thus though there exist many other quantitative models, there exists no framework that can express the average 
response time property and have elementary-time complexity algorithms for the basic decision problems. 

8 Conclusion and Future Work 

Motivated by important system properties such as long-run average response time, we introduced the framework 
of nested weighted automata as a new, expressive, and convenient formalism for specifying quantitative properties 
of systems. We answered the basic decision questions for nested weighted automata. There are several directions 
for future work. First, we have an open conjecture (Conjecture l22l) regarding the decidability of the emptiness of 
(LimAvg; SUM)-automata. Second, another interesting direction would be to establish optimal complexity results 
for the decision problems. Third, there are several possible extensions of the nested weighted automaton model, 
such as (i) two-way master and slave automata, (ii) multiple levels of nesting, and (iii) instead of infimum across 
paths consider average measures across paths (i.e., probability distributions over runs and expected value of the 
runs, as in Eol). 
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